b'      FEDERAL ELECTION COMMISSION \n\n\n      OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n                 FINAL REPORT \n\n\n2010 Follow-up Audit of Privacy and Data Protection \n\n\n\n\n\n                 March 2011 \n\n           ASSIGNMENT No. OIG-10-03 \n\n\x0c                  FEDERAL ELECTION COMMISSION\n                  WASHINGTON, D.C. 20463\n                  Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:            The Commission\n\nFROM:          Inspector General\n\nSUBJECT:       Follow-up Audit of Privacy and Data Protection\n\nDATE:          March 31, 2011\n\nThis memorandum transmits the Federal Election Commission (FEC) Office of Inspector\nGeneral\xe2\x80\x99s (OIG) final report of the Follow-up Audit of Privacy and Data Protection\nprepared by Cherry, Bekaert & Holland (CBH). The OIG contracted with CBH to\nperform a follow-up audit on the findings and recommendations identified in the 2006\nInspection Report on Personally Identifiable Information and the 2007 Performance\nAudit of Privacy and Data Protection. CBH\xe2\x80\x99s objective was to determine whether\nmanagement implemented the agreed upon actions for each recommendation and whether\neach audit finding in the two prior reports have been fully resolved.\n\nAudit Findings and Recommendations\n\nCBH\xe2\x80\x99s review identified that management has made some improvements since the 2006\nInspection Report on Personally Identifiable Information [PII] and 2007 Performance\nAudit of Privacy and Data Protection. However, sixteen (16) of nineteen (19) previous\nrecommendations are still open and new recommendations have been added. Thus,\nseveral existing and emerging risks to PII, and privacy and data protection have not been\nidentified and addressed.\n\nSignificant issues within this report address the progress of the FEC\xe2\x80\x99s privacy and data\nprotection program, and the protection of PII within the agency. The FEC\xe2\x80\x99s current\ngovernance structure over the privacy and data protection program consists of the Co-\nChief Privacy Officers (CPOs) who share privacy and data protection responsibilities.\nThis approach of shared responsibilities, along with the CPOs\xe2\x80\x99 other full-time\nresponsibilities, prevents efficient and effective progress of the privacy and data\nprotection program. Without one full-time person committed to ensuring: (1) proper\nhandling of PII within the agency; (2) the FEC adheres to all required federal regulations;\nand (3) adequate oversight and monitoring of the privacy and data protection program,\nthe FEC will continue to face greater challenges and continuous risk to the agency, which\nis reflected throughout the issues in this report.\n\nThe OIG\xe2\x80\x99s 2007 contracted audit firm, as well as CBH and my office, believe that the\nCommission should appoint a single Chief Privacy Officer, as intended by law. The\n\x0cChief Privacy Officer would continue to be supported by the FEC Privacy Team, both for\ntechnical and legal guidance. We acknowledge the current budget environment is\nchallenging, and therefore if a full-time CPO position cannot be justified, that serious\nconsideration be given to detailing an existing FEC staff person, with the knowledge\nand/or aptitude in privacy, to assume primary responsibility for FEC privacy.\n\nAudit Follow-up\n\nIn accordance with FEC Directive 50, Audit Follow-up, the next step of the audit process\nwill be for the Staff Director to recommend, and the Commission approve, the Audit\nFollow-up Official (AFO). The AFO is responsible for the development of\nmanagement\xe2\x80\x99s corrective action plan (CAP) to address the findings and recommendations\nidentified in the audit report. In addition, the AFO is responsible for finalizing the CAP to\nbe provided to the Commission. Due to the number of issues identified in the report, the\nOIG is recommending an extended schedule to provide management sufficient time to\nfinalize an effective CAP. The OIG recommends management develop a CAP within 45\ndays from the issuance of this report, or by May 16, 2011, and provide the CAP to the\nOIG for review and comment. The OIG will provide comments to management and the\nCAP should be finalized by management and transmitted to the Commission by May 31,\n2011.\n\nOIG Evaluation of Cherry, Bekaert & Holland (CBH) Audit Performance\n\nIn connection with the OIG\xe2\x80\x99s contract with CBH, we reviewed CBH\xe2\x80\x99s report and related\ndocumentation and inquired of its representatives. CBH is responsible for the attached\nauditor\'s report and the conclusions expressed in the report. The OIG\xe2\x80\x99s monitoring and\nreview of CBH work disclosed no instances where CBH did not comply, in all material\nrespects, with generally accepted government auditing standards (GAGAS).\n\nWe appreciate the courtesies and cooperation extended to Cherry, Bekaert & Holland and\nthe OIG staff. If you should have any questions concerning this report, please contact my\noffice on (202) 694-1015. Thank you.\n\n\n\n\n                                              Lynne A. McFarland\n                                              Inspector General\n\nAttachment\n\n\n\n\n                                             2\n\n\x0c                               2010 FOLLOW-UP AUDIT OF\n                             PRIVACY AND DATA PROTECTION\n\n                             FEDERAL ELECTION COMMISSION\n\n                             AUDIT REPORT NUMBER OIG-10-03\n\n\n\n\nCherry, Bekaert & Holland, L.L.P.\n1834 Gallows Road \xe2\x80\x93 Suite 400\nVienna, VA 22182\nwww.cbh.com\n\x0c                    Cherry, Bekaert & Holland, L.L.P.\n                    The Firm of Choice.\n                    www.cbh.com                                      1834 Old Gallows Road \xe2\x80\x93 Suite 400\n                                                                                 Vienna, Virginia 22182\n                                                                                   Phone 703.506.4440\n                                                                                    Fax 703.506.8817\n\n\n\nMarch 29, 2011\n\n\n\nMs. Lynne A. McFarland\nInspector General\nFederal Election Commission\n999 E Street, NW\nWashington, DC 20463\n\nSubject:       2010 Follow-up Audit Report on Privacy and Data Protection\n\nDear Ms. McFarland:\n\nIn accordance with the terms of the task order, Cherry Bekaert & Holland LLP conducted a\nfollow-up audit of the findings and recommendations included in the 2007 Performance Audit of\nPrivacy and Data Protection, and the 2006 Inspection Report on Personally Identifiable\nInformation for the purpose of determining the status of the corrective actions for the findings\nnoted in these reports.\n\nWe interviewed key personnel involved in identifying and protecting personally identifiable\ninformation and reviewed documentation supporting the FEC\xe2\x80\x99s efforts to address the findings\nand recommendations contained in the reports referenced above. During the course of our\nreview, we identified additional specific control weaknesses and deficiencies and developed\nrecommendations designed to improve the FEC\xe2\x80\x99s privacy program and compliance with federal\nprivacy and security laws and regulations.\n\nWe conducted this follow-up audit in accordance with Government Auditing Standards. This\nreport is intended to meet the purpose described above and should not be used for other\npurposes.\n\nWe appreciate the opportunity to have served the FEC Office of Inspector General.\n\n\n\nVery truly yours,\n\n\n\nJohn Montoro\nPartner\n\x0c                                           CONTENTS\n\nSection                                                                                   Page\nExecutive Summary                                                                          1\nBackground                                                                                 9\n     Federal Election Commission                                                           9\n     Federal Privacy Framework                                                            10 \n\nObjectives, Scope and Methodology                                                         12 \n\nDetailed Findings and Recommendations                                                     14 \n\n     1.     Privacy Roles and Accountability                                              14 \n\n     2.     Privacy Impact Assessments Have Not Been Conducted                            17 \n\n     3.     Monitoring and Review of Regulatory Requirements                              20 \n\n     4.     A Current PII Inventory is Not Maintained                                     22 \n\n     5.     Current Risk Assessments of Systems Containing PII Are Not Performed          26 \n\n     6.     Mobile Computing Policy, Device Encryption and Controls                       28 \n\n     7.     Safeguards Over Sensitive Agency Information and PII Need Improvement         37 \n\n     8.     Lack of Detailed Procedures and Periodic Review                               45 \n\n     9.     Logging                                                                       49 \n\n     10. Protections for Remote Access to PII                                             52 \n\n     11. Vendor Due Diligence                                                             54 \n\n     12. System of Records Notice (SORN) Updates                                          57 \n\n     13. Training Workstations                                                            61 \n\n\nAttachments\n1. Cover Memo To Management Responses to the Cherry, Bekaert & Holland LLP 2010 Follow-\nup of the 2007 Performance Audit of Privacy and Data Protection Report\n                                                                                           63\n2. Status of 2006 and 2007 Privacy Findings and Recommendations                            65 \n\n3. Definitions                                                                             72 \n\n4. Executive Order 13556 Controlled Unclassified Information                               73 \n\n\x0c                                              2010 \n\n                                      FOLLOW-UP AUDIT OF \n\n                                  PRIVACY AND DATA PROTECTION\n\n\n                                  FEDERAL ELECTION COMMISSION\n\n\n        The Office of Inspector General (OIG) of the Federal Election Commission (FEC) contracted\nwith Cherry Bekaert & Holland LLP to conduct a follow-up audit of the 2007 Performance Audit of\nPrivacy and Data Protection, and the 2006 Inspection Report on Personally Identifiable Information and,\nspecifically, to determine if the FEC has adequately implemented the agreed actions for each\nrecommendation and whether each audit finding has been fully resolved. This report is organized into the\nfollowing sections:\n\n        \xe2\x80\xa2       Executive Summary\n        \xe2\x80\xa2       Background\n        \xe2\x80\xa2       Objectives, Scope and Methodology\n        \xe2\x80\xa2       Detailed Findings and Recommendations\n        \xe2\x80\xa2       Attachments\n\nEXECUTIVE SUMMARY\n\n         The importance of data protection and privacy within the Federal government and commercial\nenterprises is constantly increasing and requires continuous attention. The challenges will be even greater\nin the future as the potential use of new technologies (e.g., cloud computing, more prolific use of wireless\nmobile computing devices) and changes to business processes and work arrangements (e.g., increased\nfocus on telework) will create new risks to be managed. There is also a general increasing concern\namong individuals about the use and privacy of their personal information controlled by Federal agencies.\nFor any entity handling personally identifiable information (PII), the effort to sustain an effective and\ndefensible privacy program that meets the public\xe2\x80\x99s expectations and applicable legal requirements can be\na substantial task.\n\n        Based on our observations during this follow-up audit, we do not believe that the current shared\napproach to privacy and data protection used by the FEC adequately addresses the current needs of the\nagency and there is no reason to believe it will meet future challenges if changes are not made. The FEC\ncurrently uses a team approach to privacy and data protection which is lead by two co-Chief Privacy\nOfficers (CPOs) and supported by the Information Systems Security Officer (ISSO) and two members of\nthe Office of General Counsel, collectively referred to as the \xe2\x80\x9cPrivacy Team.\xe2\x80\x9d All of the team members\nhave privacy as a \xe2\x80\x9ccollateral duty\xe2\x80\x9d to their main roles and responsibilities and can only spend a minimum\namount of their time on privacy matters. While privacy and data protection is a multi-disciplinary subject\nthat requires the input from various departments and subject matter experts, the lack of a single full-time\nCPO is unique when compared to other Federal agencies and commercial enterprises of similar size and\nwas a finding in the previous audit in 2007.\n\n         It is our opinion, and the opinion of the prior auditors, that the current approach of having co-\nCPOs with privacy as a minimal collateral duty is fundamentally flawed. The model of shared\nresponsibility has limited the FEC\xe2\x80\x99s privacy program progress and prohibits the FEC from maturing the\nprivacy program beyond reacting to audit findings and legislative requirements. Despite the substantial\nbudget constraints, we recommend that the FEC change the current approach and appoint one full-time\nCPO to lead the FEC\xe2\x80\x99s privacy and data protection program. The CPO should be the single accountable\nindividual for privacy and data protection that can be supported by the subject matter expertise and\nexperience of the existing Privacy Team members. In addition, a formal governance framework to\nidentify, monitor and measure risk and program metrics is required to provide the appropriate structure\nand accountability. These two recommendations are consistent with those noted in the 2007 Performance\n                                                   1\n\n\x0cAudit of Privacy and Data Protection, with which management disagreed and did not implement. This is\nthe third independent review of the FEC\xe2\x80\x99s privacy and data protection program since 2006. The FEC also\nengaged consultants to assist in certain necessary privacy and data protection initiatives since 2007 and\nhas spent approximately $875,000 on these audits and consultant efforts, yet many of the previous audit\nrecommendations are not addressed. Sixteen (16) of nineteen (19) previous recommendations are still\nopen and many new recommendations have been added.\n\n          During our review, we did note that there have been improvements since the 2007 Performance\nAudit of Privacy and Data Protection. Specifically, important progress included: developing and\napproving policies; completing an inventory and risk assessment of internal PII repositories in May 2009;\ndeploying security and privacy training in 2008; executing application vulnerability and penetration tests\non an annual basis; and enhancing physical security measures within the FEC. However, fundamental\nactivities such as updating and maintaining the inventory of PII and risk assessments have not occurred.\nIn addition, the PII inventory and risk assessment report provided by the consultant in May 2009 included\nimportant recommendations that have not yet been addressed by the FEC. The PII inventories and\nassociated recommendations for each division were not provided to division management, despite being\ncompleted almost two years ago, along with a request to validate the inventories, update and maintain\nlistings, and respond to recommendations specific to the division. Thus, existing and emerging risks to\nPII have not been identified and addressed.\n\n       The table on the following pages summarizes the current findings and recommendations, and\nwhether management concurred with those recommendations.\n\n\n\n\n                                                  2\n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                              Recommendations\t                                                                                              Management Concurrence\n1.\t        Privacy Roles and         We recommend that the FEC:\n           Accountability\n                                      1a.        Assign privacy roles and responsibilities to one individual CPO with high level                    1a. Management does not concur.\n\n\n\n\n                                            \t\n           (Repeat finding)                      sponsorship in the Commission. If the Commission decides to continue with two CPOs and\n                                                 SAOPs, roles and responsibilities under these titles should be clearly delineated between\n                                                 individuals sharing the positions.\n                                      1b.        Identify, document in position descriptions and performance plans, and assign specific             1b. Management does not concur.\n                                            \t    roles and responsibilities for the monitoring and reporting of compliance with Federal and\n                                                 Commission privacy requirements.\n2.         Privacy Impact            We recommend that the FEC:\n      \t\n\n\n\n\n           Assessments Have Not\n           Been Conducted             2a.        Conduct privacy impact assessments in accordance with Section 522, or create an                    2a. Management concurs in part.\n                                             \t\n\n\n\n\n                                                                                                                                    \n\n                                                 alternative process for ensuring that privacy risks associated with PII are documented,\n\n           (Repeat finding)                      assessed and remediated as necessary.\n\n\n\n\n                                                                                        \n\n                                      2b.        Comply with OMB memoranda, or in the event of statutory exemption and a decision not\n                                             \t\n\n\n\n\n                                                                                                                                                \n\n                                                 to voluntary comply, document that sufficient controls exist to mitigate the need to\n              2b. Management concurs in part.\n                                                 comply. Where compliance is not adopted due to resource constraints or other reasons,\n\n\n\n\n                                                                                                                                            \n\n                                                 document the legal assessment, risk analysis, and cost-benefit to the FEC.\n\n                                      2c.\t       Identify and implement a governance framework (e.g., NIST, the AICPA\xe2\x80\x99s Generally                   2c. Management concurs in part.\n                                                 Accepted Privacy Principles (GAPP)), to ensure that controls within the FEC to protect PII\n                                                 are appropriately identified, documented, and implemented.\n3.         Monitoring and Review     We recommend that the FEC:\n      \t\n\n\n\n\n           of Regulatory\n           Requirements              3a.         Develop a process and assign accountability for the proactive and timely identification of         3a. Management concurs.\n                                           \t\n\n\n\n\n                                                 new OMB memoranda, Executive Orders, and other guidance to ensure that they are\n           (Repeat finding)                      reviewed and referred for legal opinion on a timely basis.\n                                     3b.         Complete legal reviews of OMB memoranda and other guidance on a more timely basis                  3b. Management concurs in part.\n                                           \t\n\n\n\n\n                                                 and consistently communicate the results to the affected stakeholders, with a copy to the\n                                                 co-Chief Privacy Officers.\n4.         A Current PII Inventory   We recommend that the FEC:\n      \t\n\n\n\n\n           is Not Maintained\n                                     4a.         Update and maintain the inventory of all systems that contain PII for all the divisions. A         4a. Management concurs in part.\n                                           \t\n\n\n\n\n           (Repeat finding)                      potential approach is to use the templates created by Solutions Technology Systems, Inc.\n                                                 (STSI) and have each division update their current listing and implement business\n                                                 processes to continually update the inventory based on new or revised handling and\n                                                 storage of PII. A full review could be conducted by the divisions at least annually and will\n                                                 help support the biennial Privacy Act Systems of Records update process.\n\n\n\n\n                                                                                              3\n                                                                                                  \n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                              Recommendations\t                                                                                         Management Concurrence\n                                     4b.         Finalize the evaluation of the draft STSI recommendations and develop, document and           4b. Management concurs.\n\n\n\n\n                                           \t\n                                                 implement a corrective action plan as necessary. Progress against the corrective action\n                                                 plan should be formally and periodically reported to management.\n                                     4c.         Provide the Privacy Team\xe2\x80\x99s SSN Reduction Plan Phase 1 report to the applicable division       4c. Management concurs.\n\n\n                                           \t\n                                                 heads, and work with those offices to prepare action plans to address the findings in the\n                                                 report.\n                                     4.d         Complete Phase 2 and Phase 3 of the \xe2\x80\x9cFEC\xe2\x80\x99s Plan to Review and Reduce Holdings of\n                                           \t\n                                                 Personally Identifiable Information and Eliminate Unnecessary Use of Social Security          4d. Management concurs in part.\n                                                 Numbers In Response to OMB Memorandum M-07-16, Safeguarding Against and\n                                                 Responding to the Breach of Personally Identifiable Information\xe2\x80\x9d as soon as practical.\n                                                 This can be accomplished by providing the STSI results to the divisions and requesting a\n                                                 response on the ability to reduce or eliminate the questionable uses of social security\n                                                 numbers already identified by the contractor.\n5.         Current Risk              We recommend that the FEC:\n           \t\n\n\n\n\n           Assessments of Systems\n           Containing PII Are Not     5a.        Perform a risk assessment annually for all existing and new applications that collect,        5a. Management concurs in part.\n                                             \t\n\n\n\n\n           Performed                             process, transmit or store PII. If privacy impact assessments (PIAs) were performed, a risk\n                                                 assessment component could be built into that process to accomplish both the PIA and risk\n           (Modified repeat                      assessment recommendations.\n           finding)\n                                      5b.\t       Prepare a documented corrective action plan for any deficiency noted for each risk\n           5b. Management concurs in part.\n                                                 assessment performed and report progress periodically until all corrective actions are\n\n\n\n\n                                                                                                                                          \n\n                                                 implemented. The corrective action plan should be approved by management.\n\n\n\n\n                                                                                                                                \n\n                                      5c.\t       Include all systems containing PII that are being retired in the risk assessments and         5c. Management concurs in part.\n\n\n\n\n                                                                                                                                     \n\n                                                 develop action plans to ensure the proper transfer of PII to a new system or the secure\n\n\n\n\n                                                                                                                                           \n\n                                                 destruction of the PII in the retired system.\n                                                                                            \n\n\n\n\n6.         Mobile Computing          We recommend that the FEC:\n     \t\n\n\n\n\n           Policy, Device\n           Encryption and Controls   6a.         Modify the Federal Election Commission Mobile Computing Security Policy, Policy               6a. Management concurs in part.\n                                           \t\n\n\n\n\n                                                 Number 58-4 to require all mobile devices, including Blackberrys, be encrypted.\n           (Repeat finding)\n                                     6b.\t        Revise the Policy Number 58-4 to specify when exceptions to policy may occur, who\n                                                 may approve the exception, the risks to PII if an exception is granted and any                6b. Management concurs in part.\n                                                 compensating controls, and the level of documentation required to support the exception.\n                                     6c.         Record all mobile computing devices in inventory when received after purchase instead         6c. Management does not concur.\n                                           \t\n\n\n\n\n                                                 of when issued.\n\n\n\n\n                                                                                              4\n                                                                                                  \n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                         Recommendations\t                                                                                        Management Concurrence\n                                 6d.       Perform a review of the process and systems used to maintain the inventory of mobile\n                                           devices to ensure that they are appropriately designed to maintain a complete and             6d. Management does not concur.\n                                           accurate inventory. A complete physical inventory of all mobile devices purchased less\n                                           those disposed should be performed and reconciled to the existing mobile device\n                                           inventory listing.\n                                 6e.       Include a record in the inventory of whether the device is encrypted or not.                  6e. Management does not concur.\n\n                                       \t\n                                 6f.   \t   Implement a process and form requiring employees and contractors to sign when they            6f. Management does not concur.\n                                           receive a mobile device acknowledging their receipt of the asset and maintain a record of\n                                           these sign-offs.\n                                 6g.       Implement an alternative to assigning a generic laptop encryption passphrase to\n                                       \t\n\n\n\n                                           contractors so that every contractor has a unique self selected passphrase, while             6g. Management concurs.\n                                           maintaining the ability to decrypt the stored data in the event of an unexpected departure.\n                                           The ability to recover unencrypted data of an employee should also be in place.\n\n7.         Safeguards Over       We recommend that the FEC:\n           \t\n\n\n\n\n           Sensitive Agency\n           Information and PII   7a.       ISSO, Physical Security Officer, and/or division management should conduct regular FEC        7a. Management concurs.\n                                       \t\n\n\n\n\n           Need Improvement                office walkthroughs to ensure that agency staff comply with privacy and information\n                                           security standards.\n           (Repeat finding)                                                                                                              7b. Management does not concur.\n                                 7b.       Should emphasize document labeling requirements for documents with PII or sensitive\n                                       \t\n\n\n\n\n                                           information with all staff and standard document templates with labels be created and the\n                                           use monitored.\n                                 7c.       Should develop a plan to implement Executive Order 13556, Controlled Unclassified\n                                       \t\n\n\n\n\n                                           Information, and comply with future directives issued by NARA.                                7c. Management concurs in part.\n\n                                 7d.       Division managers should work with the Physical Security Officer and the Records              7d. Management concurs.\n                                       \t\n\n\n\n\n                                           Officer to assess records management and secure storage needs and address failures to\n                                           adequately secure sensitive information noted during the walkthrough.\n                                 7e.       Contracting Officer and COTRs should enforce the requirement for contractors to certify\n                                       \t\n\n\n\n\n                                           secure destruction or return of FEC information in both paper and electronic format.          7e. Management concurs.\n                                 7f.       Should establish a policy and procedures requiring COTRs to inspect the physical space\n                                       \t\n\n\n\n\n                                           occupied by contractors when the contractor departs to ensure paper and electronic records\n                                                                                                                                         7f. Management concurs.\n                                           are securely disposed of or filed.\n                                 7g.       Should implement the plan to develop and deploy privacy training specific to the\n                                       \t\n\n\n\n\n                                           individual divisions.                                                                         7g. Management concurs.\n\n\n\n\n                                                                                        5\n                                                                                            \n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                             Recommendations\t                                                                                       Management Concurrence\n8.         Lack of Detailed          We recommend that the FEC:\n     \t\n\n\n\n\n           Procedures and Periodic\n           Review                    8a.     Should develop, implement and communicate detailed procedures to all employees for             8a. Management concurs in part.\n                                             each security and privacy related policy. This may need to occur at the division or\n           (Modified repeat                  department level with the Privacy Team serving as subject matter experts. Detailed\n           finding)                          procedures will also be helpful for agency staff tasked with monitoring, enforcing and\n                                             reporting on compliance with the requirements in the associated policies.\n                                                                                                                                            8b. Management concurs.\n                                     8b.     Should directly link detailed procedures to the source policies and house them in a central,\n                                             easily accessible location, such as the FEC Intranet.\n                                     8c.     Should follow a standard template for all policies and supporting documents that includes      8c. Management concurs in part.\n                                             an adoption and last revision date.\n                                     8d.     Should review on a regular basis all of the privacy and data security policies, procedures,    8d. Management concurs in part.\n                                             standards and guidelines on a defined timeframe (e.g., annually), and they should be dated,\n                                             and updated as necessary and include a point of contact if employees have questions.\n9.         Logging                   We recommend that the FEC:\n           (Repeat finding)          9.      Implement logging for all computer-readable data extracts from databases holding               9. Management does not concur.\n                                             personally identifiable information (PII).\n10.        Protections for Remote    We recommend that the FEC:\n           Access to PII\n                                     10a.    Should change Policy 58-4.5 Virtual Private Network (VPN) and Directive 58, Electronic         10a. Management concurs in part.\n           (Repeat finding)                  Records, Software and Computer Usage, to state that work related data must be saved to\n                                             the network and not downloaded and saved on local devices. Exceptions to the policy\n                                             should be clearly documented and approved by management, and, where possible,\n                                             compensating controls put in place.\n                                     10b.    Should further re-enforce the key elements in this and other security policies and also\n                                             design and implement a formal communications plan to re-enforce key privacy and                10b. Management concurs.\n                                             security principles contained in the policies and training. This communication plan should\n                                             include scheduled periodic reminders to employees and contractors on key principles that\n                                             can be delivered through such means as emails, log-in banners, newsletter articles, posters\n                                             or other existing communication vehicles currently used to communicate with employees.\n                                             The most effective messaging is typically brief and focused on a single topic. For\n                                             example, an email message such as: REMINDER: Save all your work on the network and\n                                             do not download to your computer.\n                                     10c.    Modify the Intranet to contain a page with Privacy and data protection policies, procedures\n                                             and updates. This would ensure that all FEC employees are aware of the policies with           10c. Management concurs.\n                                             regard to PII and privacy and data protection.\n\n\n\n                                                                                          6\n                                                                                              \n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                           Recommendations\t                                                                                             Management Concurrence\n11.        Vendor Due Diligence    We recommend that the FEC:\n           (Repeat finding)        11a.        Should develop and maintain a comprehensive list of all vendors that handle PII.                 11a. Management concurs.\n\n\n\n\n                                           \t\n                                   11b.        Should develop a policy and supporting procedures to assess and approve vendors with             11b. Management concurs in part.\n\n\n\n\n                                           \t\n\n\n\n\n                                                                                                                                          \n \n\n                                               access to FEC PII to reasonably ensure that the vendor has adequate controls in place to\n                                               protect the information before any PII is provided to the vendor.\n\n\n\n\n                                                                                                               \n\n                                   11c.        Should formally document the process used to review the FEC\xe2\x80\x99s vendors that are entrusted\n                                           \t   with PII and the results should be retained to evidence the review procedures performed.         11c. Management concurs in part.\n                                               In addition, there should be documented management approval from the appropriate\n                                               department head and either of the co-Chief Privacy Officers before the vendor is provided\n                                               access to FEC PII. There may be more than one department head that should review and\n                                               approve a specific vendor if the PII affected pertains to more than one department.\n12.        System of Records       We recommend the FEC Privacy Officer:\n      \t\n\n\n\n\n           Notice (SORN) Updates\n                                   12a.\t       Develop a standardized template to allow system managers to accurately document SORs             12a. Management concurs in part.\n           (Repeat finding)                    independently of the Privacy Team.\n                                   12b.        Enhance existing guidelines and procedures to include timelines and deadlines that\n                                                                                                                                                12b. Management concurs.\n                                               \t\n\n\n\n\n                                                                                                                                    \n\n                                               promote regular review and timely updates to SORs.\n\n\n\n\n                                                                                                    \n\n                                   12c.        Work with ITD management to incorporate SORs assessment processes into systems\n                                           \t\n\n\n\n\n                                                                                                                                    \n\n                                               under development and IT lifecycle management processes.                                         12c. Management concurs.\n\n\n\n\n                                                                                                           \n\n                                   12d.        Work with the Physical Security Officer, the FEC Records Officer, and FEC management\n                                           \t\n\n\n\n\n                                               to incorporate SORs assessment processes into electronic and paper records management\n                                               processes.                                                                                       12d. Management concurs.\n\n                                   12e.        Develop and implement policies and procedures that define monitoring and reporting\n                                           \t\n\n\n\n\n                                                                                                                                        \n \n\n                                               processes to ensure SORs are updated and amendments published in accordance with                 12e. Management concurs in part.\n                                               Federal regulations by:\n                                                                      \n\n\n\n\n\n                                               \xe2\x80\xa2\t        providing regular training to FEC managers and SOR system owners/managers;\n                                               \xe2\x80\xa2\t        Establish deadlines, based on the legal requirements of OMB A-130, for\n                                                         documenting the new SORs, revisions to existing SORs, and publish the updated\n                                                         SORN;\n                                               \xe2\x80\xa2\t        providing legal assessment of potential changes in SORs and quality assuring\n                                                         the SORs produced by system owners/managers;\n                                               \xe2\x80\xa2\t        including performance standards in employee performance plans that are linked\n                                                         to successful compliance with Federal regulations; and\n                                               \xe2\x80\xa2\t        requiring regular reporting of compliance with the timelines to the Commission.\n\n\n\n\n                                                                                            7\n                                                                                                \n\n\x0cSummary of Findings, Recommendations and Management Concurrence\nFindings                           Recommendations                                                                            Management Concurrence\n13.        Training Workstations   We recommend that the FEC:\n           (New)                   13.     Restrict the training workstations to only be able to access training materials.   13. Management concurs.\n\n\n\n\n                                                                                          8\n                                                                                              \n\n\x0cBACKGROUND\n\nFederal Election Commission\n\nThe FEC, an independent federal agency established by the Congress as a Commission, is responsible for\nadministering and enforcing the Federal Election Campaign Act (FECA), 2 USC \xc2\xa7 431. The FEC\nadministers and enforces FECA through the three core programs of disclosure, compliance, and public\nfinancing.\n\n        \xe2\x80\xa2\t      Disclosure. Disclosure involves receiving reports of campaign finance transactions by\n                candidates and political committees involved in elections for Federal office and\n                promulgating them as part of the public record.\n\n        \xe2\x80\xa2\t      Compliance. Compliance involves reviewing and assessing campaign finance\n                transactions to ensure that filers abide by appropriate FECA limitations, prohibitions, and\n                disclosure requirements. Compliance also involves oversight of individual contributors,\n                corporations, labor unions, and \xe2\x80\x9cissue\xe2\x80\x9d groups that, although they may not fit within the\n                universe of filers, can be involved in violations of FECA. The FEC has exclusive\n                jurisdiction over civil enforcement of FECA and engages in civil enforcement\n                proceedings to resolve instances of noncompliance.\n\n        \xe2\x80\xa2\t      Public Financing. Public financing is the system for financing Presidential primaries,\n                general elections, and national party conventions. Congress designed the program to\n                correct campaign finance abuses perceived in the 1972 Presidential electoral process.\n                The program combines public funding with limitations on contributions and\n                expenditures. The program has three parts: (1) matching funds for primary candidates,\n                (2) funds to sponsor political-party Presidential nominating conventions, and (3) funds\n                for the general election campaigns of major party nominees and partial funding for\n                qualified minor and new party candidates.\n\n                Based on statutory criteria, the FEC determines which candidates and committees are\n                eligible for public funds and funding amounts. The U.S. Treasury then makes the\n                necessary payments. The FEC audits all committees that received public funds to ensure\n                that committees used funds in accordance with the FECA, public funding statutes, and\n                FEC regulations. Based on the FEC\xe2\x80\x99s audit findings, Presidential committees may be\n                required to make repayments to the U.S. Treasury.\n\nThe FEC is headed by six commissioners appointed by the President and confirmed by the Senate.\nCommissioners serve six-year terms, and no more than three Commissioners may represent the same\npolitical party. By statute, the Commissioner chairmanship rotates every year, and the designated\nchairman has limited authority to set the agency\xe2\x80\x99s agenda.\n\nUnder the Commissioners, the FEC\xe2\x80\x99s organizational structure is separated into four primary offices:\n\n        \xe2\x80\xa2\t      Office of the Staff Director (OSD). OSD is headed by a statutory officer. Subordinate\n                organizations to the Staff Director are in most cases called \xe2\x80\x9coffices\xe2\x80\x9d for staff support\n                activities and \xe2\x80\x9cdivisions\xe2\x80\x9d for line activities involved in one or more of the three core\n                programs. Programmatic elements under OSD include the Disclosure Division,\n                Information Technology Division, Information Division, Press Office, Reports Analysis\n                Division, and Audit Division.\n\n\n\n                                                  9\n\n\x0c        \xe2\x80\xa2\t      Office of the General Counsel (OGC). OGC is headed by a statutory officer.\n                Subordinate offices to OGC are titled Associate General Counsels, and each supports one\n                or more of the three core FEC programs.\n\n        \xe2\x80\xa2\t      Office of Inspector General (OIG). OIG is headed by a statutory officer, the Inspector\n                General, who reports directly to the Commission and Congress.\n\n        \xe2\x80\xa2\t      Chief Financial Officer (CFO). The Office of the CFO is headed by the CFO.\n                Subordinate offices include Finance, Procurement, and Budget.\n\nThe FEC\xe2\x80\x99s privacy structure consists of a Privacy Officer, Co-Chief Privacy Officers (CPOs), and Co-\nSenior Agency Officials for Privacy (SAOP). The Privacy Officer position is held by the Associate\nGeneral Counsel (AGC) for General Law and Advice (GLA), while the CPO and SAOP positions are\nshared by the AGC GLA and Chief Information Officer (CIO). Responsibilities for privacy are separated\ninto two areas, legal and technical; AGC GLA handles legal issues, and the CIO handles technical issues.\nThe Information Systems Security Officer (ISSO), and two attorneys from OGC GLA, along with the Co-\nCPOs comprise the FEC \xe2\x80\x9cPrivacy Team.\xe2\x80\x9d\n\nFederal Privacy Framework\n\nPrivacy in the Federal government is rooted in passage of the Privacy Act of 1974 and subsequent\namendment. Congress enacted the Privacy Act based on its understanding that:\n\n1.\t     The privacy of an individual is directly affected by collection, maintenance, use, and\n        dissemination of personal information by Federal agencies.\n\n2.\t     The increasing use of computers and sophisticated information technology, while essential to\n        efficient government operations, has greatly magnified the harm to individual privacy that can\n        occur from any connection, maintenance, use, or dissemination of personal information.\n\n3.\t     Opportunities for any individual to secure employment, insurance, and credit have a right to due\n        process, and other legal protections are endangered by misuse of certain information systems.\n\n4.\t     The right to privacy is a personal and fundamental right protected by the Constitution of the\n        United States.\n\n5.\t     To protect the privacy of individuals identified in information systems maintained by Federal\n        agencies, it is necessary for Congress to regulate collection, maintenance, use, and dissemination\n        of information by such agencies.\n\nThe purpose of the Privacy Act of 1974, as amended, is to provide certain safeguards for an individual\nagainst an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by\nlaw, to:\n\n1.\t     Permit an individual to determine what records pertaining to him/her are collected, maintained,\n        used, or disseminated by such agencies.\n\n2.\t     Permit an individual to prevent records pertaining to him/her obtained by such agencies for a\n        particular purpose from being used or made available for another purpose without consent.\n\n3.\t     Permit an individual to gain access to information pertaining to him/her in Federal agency\n        records, to have a copy made of all or any portion thereof, and to correct or amend such records.\n\n                                                  10\n\n\x0c4.\t       Collect, maintain, use, or disseminate any record of identifiable personal information in a manner\n          that assures that such action is for a necessary and lawful purpose, that the information is current\n          and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of\n          such information.\n\nSection 6 of the Privacy Act of 1974, as amended, directed the Office of Management and Budget (OMB)\nto develop guidelines for agencies to use in the Act\xe2\x80\x99s implementation. Driven by the Privacy Act and\nrecent high-profile incidents surrounding actual or potential privacy breaches or loss of sensitive PII,\nOMB has released a number of memorandums for agencies to follow in protecting PII, including:\n          \xe2\x80\xa2         OMB Circular A-130, Management of Federal Information Resources, Appendix I,\n                    Federal Agency Responsibilities for Maintaining Records About Individuals\n          \xe2\x80\xa2\t        OMB Memorandum M-03-18, Implementation of E-Government Act of 2002\n          \xe2\x80\xa2\t        OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions\n                    of the E-Government Act of 2002\n          \xe2\x80\xa2\t        OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy\n          \xe2\x80\xa2\t        OMB Memorandum M-06-16, Protection of Sensitive Agency Information\n          \xe2\x80\xa2\t        OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n                    Information and Incorporating the Cost for Security in Agency Information Technology\n                    Investments\n          \xe2\x80\xa2\t        OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of\n                    Personally Identifiable Information\n          \xe2\x80\xa2\t        OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security\n                    Configurations\n          \xe2\x80\xa2\t        OMB Memorandum M-07-19, Reporting Instructions for Federal Information Security\n                    Management Act and Agency Privacy Management\n          \xe2\x80\xa2\t        OMB Memorandum M-08-23, Securing the Federal Government\xe2\x80\x99s Domain Name System\n                    Infrastructure\n          \xe2\x80\xa2\t        OMB Memorandum M-09-02, Information Technology Management Structure and\n                    Governance Framework\n          \xe2\x80\xa2\t        OMB Memorandum M-10-23,Guidance for Agency Use of Third-Party Websites and\n                    Applications\n          \xe2\x80\xa2\t        OMB Memorandum M-11-02, Sharing Data While Protecting Privacy\n\nIn addition to the Privacy Act and OMB memoranda, Congress passed and the President signed into law\nthe Consolidated Appropriations Act, 2005 (Public Law 108-447), on December 8, 2004. Section 522 of\nthis Act mandates of certain agencies the designation of a senior privacy official, establishment of privacy\nand data protection procedures, a written report by the agency on the use of information in an identifiable\nform,1 independent third-party review of the agency\xe2\x80\x99s use of information in an identifiable form, and a\nreport by the Inspector General to the agency head on the independent review and resulting\nrecommendations.\n\n\n\n1\n  Identifiable form is any representation of information that permits the identity of an individual to whom the information applies\nto be reasonably inferred by either direct or indirect means. Personally identifiable information (PII) has a similar meaning and\nwill be the term used throughout this document.\n                                                             11\n\n\x0cSection 522 (d)(3) previously required the Inspector General to contract with an independent third-party\nprivacy professional to evaluate the agency\xe2\x80\x99s use of information in an identifiable form and privacy and\ndata protection procedures. The independent review is to include (a) an evaluation of the agency\xe2\x80\x99s use of\ninformation in identifiable form, (b) an evaluation of the agency\xe2\x80\x99s privacy and data protection procedures,\nand (c) recommendations on strategies and specific steps to improve privacy and data protection\nmanagement. Section 522 required an independent third-party review at least every two years and\nrequired the Inspector General to submit a detailed report on the review to the agency head. Under\nsection 522 of the Consolidated Appropriations Act 2008, the review may now be performed by the\nOffice of Inspector General or by an independent third party. The review is no longer required every two\nyears but allows the OIG the flexibility to perform it \xe2\x80\x9cperiodically\xe2\x80\x9d as required. The report is to be made\navailable to the public through the internet.\n\nAdditional laws, regulations, and criteria released by Congress, OMB, and the National Institute of\nStandards and Technology (NIST) related to privacy include2:\n            \xe2\x80\xa2\t       The E-Government Act of 2002, Section 208\n            \xe2\x80\xa2\t       Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for\n                     Security Categorization of Federal Information and Information Systems\n            \xe2\x80\xa2\t       FIPS PUB 200, Minimum Security Requirements for Federal Information and\n                     Information Systems\n            \xe2\x80\xa2\t       NIST Special Publication (SP) 800-60, Volume I, Revision 1: Guide for Mapping Types\n                     of Information and Information Systems to Security Categories\n            \xe2\x80\xa2\t       NIST SP 800-60, Volume II, Revision 1: Appendices to Guide for Mapping Types of\n                     Information and Information Systems to Security Categories\n            \xe2\x80\xa2\t       NIST SP 800-30, Risk Management Guide for Information Technology Systems\nThe following Executive Order signed by President Obama dated November 4, 2010 addresses\ninformation classification within Federal government agencies:\n            \xe2\x80\xa2\t       Executive Order #13556: Controlling Unclassified Information\n\nOBJECTIVES, SCOPE AND METHODOLOGY\n\nFEC Management prepared a corrective action plan (CAP) to address the findings and recommendations\nincluded in the Office of Inspector General\xe2\x80\x99s (OIG) 2007 Performance Audit of Privacy and Data\nProtection. The objective of this audit follow-up was to determine whether management implemented the\nagreed actions for each recommendation and whether each audit finding in the 2007 report has been fully\nresolved. The audit follow-up was conducted in accordance with Government Auditing Standards. The\nFEC OIG engaged Cherry Bekaert & Holland LLP to perform this audit follow-up.\n\nIn addition to the seven findings and thirteen recommendations included in the 2007 Performance Audit\nof Privacy and Data Protection, Cherry Bekaert & Holland LLP was required to determine whether\ncontrols are adequate to ensure the FEC System of Records (SOR) is updated and published in accordance\nwith the Privacy Act of 1974 and the Office of Management and Budget (OMB) Circular A-130\nAppendix I. Cherry Bekaert & Holland LLP also reviewed and is reporting on the six outstanding\nrecommendations from the OIG\xe2\x80\x99s 2006 Inspection Report on Personally Identifiable Information.\n\nCherry Bekaert & Holland LLP conducted this review through the use of the following: detailed\ninterviews; review and evaluation of relevant documents such as FEC privacy and security policies,\n\n2\n    FEC legal analysis concluded that the FEC is exempt from these requirements.\n                                                             12\n\n\x0cprocedures, directives, training materials, mobile device asset listings, system settings; and auditor\nobservation. We conducted interviews to obtain an understanding of the corrective actions implemented\nsince the 2007 Performance Audit of Privacy and Data Protection and to understand management\xe2\x80\x99s\napproach and strategy for identifying, assessing risk, protecting PII and complying with applicable legal\nrequirements. We interviewed key personnel from senior management and staff from various offices\nincluding the members of the FEC Privacy Team.\n\nBased on results of our review, Cherry Bakaert & Holland LLP developed findings and recommendations\nfor management, which are in the following section.\n\n\n\n\n                                                  13\n\n\x0cDETAILED FINDINGS AND RECOMMENDATIONS\n\nManagement\xe2\x80\x99s responses to the detailed findings were provided in a memorandum dated March 16, 2011\nfrom Mr. Alec Palmer, Acting Staff Director, Chief Information Officer and Co-Chief Privacy Officer\nand Mr. Lawrence L. Calvert, Associate General Counsel for General Law and Advice and Co-Chief\nPrivacy Officer to Ms. Lynne McFarland, Inspector General and Mr. Jonathan Hatfield, Deputy Inspector\nGeneral. Management\xe2\x80\x99s responses are included verbatim below. Attachment 1 contains the cover memo\nto management\xe2\x80\x99s responses.\n\nFinding 1: Privacy Roles and Accountability\n\nThe Chief Privacy Officer (CPO), Privacy Officer (PO), and Senior Agency Official for Privacy (SAOP)\nroles and responsibilities are documented in privacy policies and directives. The CPO and SAOP\npositions are currently being shared by the Associate General Counsel (AGC) for General Law and\nAdvice (GLA) and the Chief Information Officer (CIO). Review of the documented roles and\nresponsibilities for the CPO and SAOP showed they have not been specifically assigned to either the\nAGC for GLA or the CIO. In addition, while CPO roles and responsibilities do include responsibility for\nensuring compliance with laws and regulations, the policies and directives do not identify how\ncompliance will be monitored or identify which CPO will perform specific monitoring activities. To the\nbest of our knowledge, we are not aware of any other Federal government agency or private sector\norganization that has co-CPOs.\n\nBased on interviews with the co-CPOs, we determined that it was unclear which individual is specifically\nresponsible for ensuring compliance with privacy policies and procedures at the agency level.\n\nConsolidated Appropriations Act, 2005, Section 522 (a) Privacy Officer states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and\n        data protection policy, including \xe2\x80\x93\n\n        1.\t     assuring that the use of technologies sustain and do not erode, privacy protections\n                relating to use, collection, and disclosure of information in an identifiable form;\n        2.\t     assuring that technologies used to collect, use, store, and disclose information in\n                identifiable form allow for continuous auditing of compliance with stated privacy policies\n                and practices governing the collection, use and distribution of information in the\n                operation of the program;\n        3.\t     assuring that personal information contained in Privacy Act systems of records is\n                handled in full compliance with fair information practices as defined in the Privacy Act\n                of 1974;\n        4.\t     evaluating legislative and regulatory proposals involving collection, use, and disclosure\n                of personal information by the Federal Government;\n        5.\t     conducting privacy impact assessment of proposed rules of the Department on the\n                privacy of information in identifiable form, including the type of personally identifiable\n                information collected and the number of people affected;\n        6.\t     preparing a report to Congress on an annual basis on activities of the Department that\n                affect privacy, including complaints of privacy violations, implementation of section 552a\n                of title 5, 11 United States Code, internal controls, and other relevant matters;\n        7.\t     training and educating employees on privacy and data protection policies to promote\n                awareness of and compliance with established privacy and data protection policies; and\n        8.\t     ensuring compliance with the Departments established privacy and data protection\n                policies.\n\n                                                 14\n\n\x0cSection 522 (b) states that:\n\n        \xe2\x80\x9cEstablishing Privacy and Data Protection Procedures and Policies. In general.--Within 12\n        months of enactment of this Act, each agency shall establish and implement comprehensive\n        privacy and data protection procedures governing the agency\xe2\x80\x99s collection, use, sharing,\n        disclosure, transfer, storage and security of information in an identifiable form relating to the\n        agency employees and the public. Such procedures shall be consistent with legal and regulatory\n        guidance, including OMB regulations, the Privacy Act of 1974, and section 208 of the E-\n        Government Act of 2002.\xe2\x80\x9d\n\n        The FEC has not assigned responsibility for compliance with privacy regulations to a single\n        individual. Instead the agency has chosen to share the responsibilities between two individuals\n        but has not adequately defined the respective roles and responsibilities of either in job\n        descriptions.\n\n        Consolidated Appropriations Act, 2005, Section 522 (a) describes the responsibilities of a \xe2\x80\x9cChief\n        Privacy Officer\xe2\x80\x9d and does not prohibit co-Chief Privacy Officers. However, without clearly\n        assigning accountability for privacy leadership to a specific individual, it has limited the progress\n        of the privacy program made by the FEC and prohibits the FEC from maturing the privacy\n        program beyond reacting to audit findings and legislative requirements. In addition, the\n        Commission\xe2\x80\x99s ability to hold specific individuals accountable for failures to develop, implement,\n        and monitor a privacy framework is reduced. Without a strong privacy framework, the risk of\n        sensitive or personally identifiable information being obtained and used for unauthorized\n        purposes increases.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        1a. \t   Assign privacy roles and responsibilities to one individual CPO with high level\n                sponsorship in the Commission. If the Commission decides to continue with two CPOs\n                and SAOPs, roles and responsibilities under these titles should be clearly delineated\n                between individuals sharing the positions.\n\n        1b. \t   Identify, document in position descriptions and performance plans, and assign specific\n                roles and responsibilities for the monitoring and reporting of compliance with Federal\n                and Commission privacy requirements.\n\nManagement Response to 1a:\n\nManagement does not concur: The report provides that \xe2\x80\x9c[b]ased on interviews with the co-CPOs, we\ndetermined that it was unclear who was specifically responsible for ensuring compliance with privacy\npolicies and procedures at the agency level.\xe2\x80\x9d To clarify we believe that the roles and responsibilities of\nthe Co-CPOs are clearly defined in Directive 65, and that there should not be one individual CPO.\nDirective 65, \xe2\x80\x9cDesignation of Chief Privacy Officer and Senior Agency Official for Privacy\xe2\x80\x9d explicitly\ndescribes the duties of the Co-CPOs. The Directive indicates that the \xe2\x80\x9cChief Information Officer [CIO]\nand the FEC Associate General Counsel for General Law and Advice [AGC] shall serve jointly as the\nChief Privacy Officer as well as the Senior Agency Official for Privacy.\xe2\x80\x9d It also provides that while the\nCIO and AGC will share the CPO duties, the CIO will address \xe2\x80\x9ctechnological safeguards and processes\xe2\x80\x9d\nand the AGC will address \xe2\x80\x9cissues of statutory and regulatory interpretation.\xe2\x80\x9d Thus the Directive is clear\nas to the roles and responsibilities of the Co-CPOs.\n\n                                                   15\n\n\x0cAdditionally, we disagree that an individual CPO is necessary. One of the benefits of having two CPOs\n(as well as having members of the team from OGC and OCIO) is that it affords us the opportunity to\nshare unique perspectives and judgments that are possible only because of our differing expertise and\nbackgrounds. Using a multidisciplinary team to address privacy issues enables us to consider technology\nand legal issues simultaneously. This would not be possible if there were only one CPO.\n\nWe acknowledge that there would be some benefits to having a single CPO. However, we believe most\nof these benefits would be realized only if the position of CPO was a full-time position, rather than a\ncollateral duty. Such an official would likely be able to move projects forward more efficiently, and\naccountability would be simpler. However we believe that at this time, in the Commission\xe2\x80\x99s\ncircumstance, those benefits are outweighed by the benefits of having a joint working group (i.e. less\nstove piping and more synergy; and the advantage of having two agency officials with the clout to receive\nbuy-in for privacy projects from the Commission and senior managers). While we agree that privacy is of\nthe utmost importance, and it is unfortunate that we have been unable to move forward with some privacy\nprojects at a faster pace because of conflicting priorities, we still find that the progress that has been made\nis significant in comparison to what has been done in the past (e.g., it took approximately 13 years for the\n2008 SORNs to be published, whereas there will only be a 3-year gap when the 2011 SORNs are\npublished). Moreover, given that the greatest benefits of a single CPO would accrue from having a full-\ntime CPO, we have to acknowledge that the ability to create such a position is highly unlikely in the\nbudgetary environment the Commission is likely to face over the next several years. For these reasons,\nwe respectfully decline to adopt a single CPO model.\n\nAuditor Response:\n\nWe acknowledge that progress has been made over the past couple of years and that the Privacy Team\nmembers have other significant job responsibilities. However, significant work remains. We continue to\nbelieve the Commission should appoint a single individual to the position of Chief Privacy Officer. We\nacknowledge that the current budgetary environment is very challenging and adding a new CPO position\nseems in conflict to budgetary constraints. However, it appears that management acknowledges the\nbenefits of a full-time CPO. We believe that a discussion with the Commissioners by management\nregarding a full-time CPO position is warranted to create the position, or serious consideration is made to\ndetail an existing FEC staff person with the knowledge and/or aptitude in privacy to assume primary\nresponsibility for FEC privacy.\n\nManagement Response to 1b:\n\nManagement does not concur: The roles and responsibilities outlined in Directive 65, and the FEC\nPrivacy Policies and Procedures provide sufficient accountability for the Co-CPOs with respect to\nagency-wide privacy compliance. If the goal is to hold someone accountable for privacy these directives\naccomplish that goal. The Co-CPOs in turn hold the rest of the Privacy team responsible and accountable\nfor privacy duties.\n\nAuditor Response:\n\nAccountability should be strengthened through more detailed metrics that are included in the performance\nplans of Privacy Team members.\n\n\n\n\n                                                    16\n\n\x0cFinding 2: Privacy Impact Assessments Have Not Been Conducted\n\nThe original findings from the 2007 report regarding the lack of privacy impact assessments (PIAs)3 and\nselective compliance with OMB memoranda without documented analysis and justification have not been\naddressed. While there are various security review procedures periodically executed by Information\nTechnology Division (ITD) staff or contractors, the procedures compliment but do not replace the need\nfor PIAs on new and existing systems. Also, rather than implementing information security controls\ndescribed in OMB memorandums as a matter of best practice, the agency continues to rely on legal\njustifications and exemptions to support not adopting OMB standards. Noting the FEC\xe2\x80\x99s exemption from\nFinancial Information Security Management Act (FISMA) and NIST under the E-Government Act, the\nlongstanding practice of legal assessment, rather than risk assessment, lacks adequate due diligence\nbecause the potential impact of the agency\xe2\x80\x99s failure to implement specific information system security\ncontrols is not fully considered. For instance, OMB memoranda, M-08-23, released August 22, 2008,\nrequired agencies to deploy \xe2\x80\x9cDomain Name System Security (DNSSEC) to all Federal information\nsystems by December 2009. DNSSEC provides cryptographic protections for DNS communication\nexchanges, thereby removing threats of DNS-based attacks and improving overall integrity and\nauthenticity of information processed over the internet.\xe2\x80\x9d It is noted that OMB memoranda are largely\nbased on FISMA and NIST requirements, The FEC Office of General Counsel (OGC) provided a legal\nassessment of OMB M-08-23 on March 10, 2010 and opined that:\n\n        \xe2\x80\x9cThe memo is derived from security recommendations made in NIST Special Publication 800-81;\n        the security controls are intended to remove threats of attacks to the agency\'s domain name\n        system (DNS). According to the memo, the controls are to be initiated on "FISMA high and\n        moderate impact information systems" and will be tracked on future FISMA reports. The FEC is\n        exempt from FISMA, since the Act only applies to agencies subject to the Paperwork Reduction\n        Act (44 USC 3502), from which the FEC is explicitly exempt. The FEC is not required to follow\n        NIST guidance under 15 U.S.C. \xc2\xa7 278g-3(a). Moreover, because NIST guidance stems from\n        FISMA, it follows that we are exempt from its recommendations. For these reasons, the FEC is\n        not required to follow OMB M-08-23, although it may decide to do so only as a best practice.\xe2\x80\x9d\n\nWe note that the legal opinion stated the agency \xe2\x80\x9cmay decide to do so only as best practice ,\xe2\x80\x9d however the\nagency has not yet performed or documented a risk assessment and cost benefit analysis on implementing\nor failing to implement the security standard. The legal assessment was performed more than 18 months\nafter release by OMB and after the date for submission of draft agency plans by September 5, 2008 and\nthe effective date of December 2009. The assessment did not address mandatory language in the\nmemorandum that expanded the scope of existing policy and applied it to \xe2\x80\x9call United States Government\n\xe2\x80\x9cUSG\xe2\x80\x9d information systems.\xe2\x80\x9d\n\nA documented risk assessment would include addressing questions such as:\n\n    \xe2\x80\xa2\t Is the subject matter in the OMB memorandum applicable to FEC operations?\n    \xe2\x80\xa2\t What are the risks or \xe2\x80\x9cwhat could go wrong\xe2\x80\x9d scenarios if the guidance in the OMB memorandum\n       is not implemented?\n    \xe2\x80\xa2\t Considering current controls in place, what is the likelihood that the risks identified will \n\n       materialize?\n\n\n3\n  Privacy Impact Assessment (PIA) - is an analysis of how information is handled: (i) to ensure handling conforms to\napplicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of\ncollecting, maintaining and disseminating information in identifiable form in an electronic information system, and\n(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential\nprivacy risks. Source: OMB 03-22.\n\n                                                      17\n\n\x0c    \xe2\x80\xa2\t What is the cost to mitigate the risk?\n    \xe2\x80\xa2\t What is the level of complexity to mitigate the risk?\n    \xe2\x80\xa2\t Are the means to mitigate the risk primarily dependent on technology, process or personnel\n       changes?\n    \xe2\x80\xa2\t What are the benefits to mitigate the risk?\n    \xe2\x80\xa2\t What is the estimated timeframe to mitigate the risk?\n    \xe2\x80\xa2\t What are the human resource requirements to mitigate the risk?\n    \xe2\x80\xa2\t If the risks identified will be accepted, the rationale, and management approval for that decision\n       should be documented.\n\nAs interpreted and applied by the FEC, exception under the E-Government Act overrides the fact that the\nFEC does have high or moderate impact information systems and risk associated with potential\nunauthorized use, compromise, and loss of the fec.gov domain space. There is no documented acceptance\nof risk and no accountability if the agency\xe2\x80\x99s failure to apply the security standard results in the possibility\nof the FEC website being defaced with false or offensive information (e.g., pornography), disabled so that\nthe website is not accessible to the public or is infected with malicious software that could harm a website\nvisitor\xe2\x80\x99s computer.\n\nSection 522, Section (a)(5) of the Consolidated Appropriations Act of 2005 states as follows:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for\n        privacy and data protection policy, including conducting a privacy impact assessment of\n        proposed rules of the Department on the privacy of information in an identifiable form,\n        including the type of personally identifiable information collected and the number of\n        people affected.\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, page 1, states:\n\n        As is required by the Privacy Act, the Federal Information Security Management Act\n        (FISMA), and other laws and policies, each agency must take appropriate steps\n        necessary to protect personal information from unauthorized use, access, disclosure or\n        sharing, and to protect associated information systems from unauthorized access,\n        modification, disruption or destruction. Agencies are required to maintain appropriate\n        documentation regarding their compliance with information privacy laws, regulations,\n        and policies.\n\nThe FEC has conducted a legal review and determined the agency is exempt from the requirement to\ncomplete PIAs. In addition, some Privacy Team members believe the PIA process is too onerous and\nthere is not sufficient staff to execute PIAs. Neither of the co-Chief Privacy Officers has been assigned\nresponsibility or accountability for performing alternate risk assessment processes.\n\nA comprehensive approach to identifying, assessing, mitigating, monitoring and reporting risks, which\nwould include a PIA or equivalent process, has not been mandated and thus has not been implemented.\nWithout such a framework, management may be taking on more risk than they would otherwise want to\naccept, or the current process may be inefficient in the application of necessary controls. In addition,\nwithout a privacy impact assessment, the FEC cannot accurately assess where privacy related risks exist.\nSensitive PII may be compromised by an unauthorized user if they exploit these unprotected risks.\n\n\n\n\n                                                    18\n\n\x0cRecommendations\n\nWe recommend that the FEC:\n\n        2a.     Conduct privacy impact assessments in accordance with Section 522, or create an\n                alternative process for ensuring that privacy risks associated with PII are documented,\n                assessed and remediated as necessary.\n\n        2b.     Comply with OMB memoranda, or in the event of statutory exemption and a decision not\n                to voluntary comply, document that sufficient controls exist to mitigate the need to\n                comply. Where compliance is not adopted due to resource constraints, document the legal\n                assessment, risk analysis, and cost-benefit to the FEC.\n\n        2c.     Identify and implement a governance framework (e.g., NIST, the AICPA\xe2\x80\x99s Generally\n                Accepted Privacy Principles (GAPP)), to ensure that controls within the FEC to protect\n                PII are appropriately identified, documented, and implemented.\n\nManagement Response to 2a:\n\nManagement concurs in part: At the outset, it must be noted that the agency has flexibility as to\nwhether it should conduct privacy impact assessments (PIAs) as this is a requirement under the E-\nGovernment Act, from which the agency is exempt. Thus, as noted by the auditors, the agency is not\nmandated by law to conduct PIAs or any similar process that would be required by the E-Government\nAct. However, we may consider implementing a modified, or alternative, template document that would\nprovide the benefits of a PIA without the strain on the Commission\xe2\x80\x99s staffing resources.\n\nAuditor Response:\n\nWhile PIAs are not a legal requirement for the FEC, PIAs, or an equivalent, are an invaluable tool to\nreasonably ensure that privacy risks are identified and addressed. We look forward to reviewing the\ndetails in the corrective action plan of when a modified or alternative template will be implemented or\nfurther explanation of why it will not be implemented.\n\nManagement Response to 2b:\n\nManagement concurs in part: The auditors noted that \xe2\x80\x9crather than implementing information security\ncontrols described in OMB memorandums as a matter of best practice, the agency continues to rely on\nlegal justifications and exemptions to support not adopting OMB standards.\xe2\x80\x9d This is not entirely true.\nWhile legal exemptions may be one factor in determining whether to adopt a OMB standard, they are not\nthe only factor. The agency relies on various factors to determine whether a standard should be\nimplemented despite the exemption, most notably cost and resources.\n\nNevertheless, we agree that in certain cases it may be appropriate for the agency to conduct an informal\nrisk assessment and cost-benefit analysis of an OMB requirement if there is a statutory exemption. These\nlimited circumstances are: 1) where the requirements are feasible to implement from a budgetary,\nresource, and agency-mission perspective; and 2) where the costs or benefits of implementing those\nrequirements are unclear or require additional investigation. While we do not agree that a formal\ndocumented risk assessment is necessary to explain why management decided to opt out of an OMB\nrequirement that the agency is exempt from, we can agree to conduct a documented informal analysis that\nexplains the costs of implementing the guidance, and how the costs outweigh the benefits of compliance.\n\n\n                                                  19\n\n\x0cAuditor Response:\n\nWhile we acknowledge that an informal documented risk assessment would be an improvement over the\ncurrent state, the agency\xe2\x80\x99s position why OMB guidance was or was not adopted should be a formal\nprocess with the conclusions approved by management.\n\nManagement Response to 2c:\n\nManagement concurs in part: We appreciate the auditors calling our attention to the GAPP framework.\nOn first review, the principles of GAPP, although developed for private entities, appear to be closely\naligned with the requirements of the Privacy Act (which applies to the FEC) and with the agency\xe2\x80\x99s\nprivacy policies. While we cannot commit to adopting GAPP in its entirety at this time, we can commit\nto a careful review of GAPP.\n\nAuditor Response:\n\nWe agree that a careful review of GAPP should be performed and a documented summary of the results\nbe prepared and provided to management. We look forward to reviewing the details and milestones for\nthe review in the corrective action plan.\n\nFinding 3: Monitoring and Review of Regulatory Requirements\n\nThere is no defined process or assigned accountability by which the Commission identifies new OMB\nmemoranda or Executive Orders and ensures that they are reviewed for legal applicability. In addition, if\nthe memoranda or Executive Orders do not legally apply, a risk assessment to evaluate if it is prudent to\nadopt the directive is not performed. During this follow-up review, we identified several OMB\nmemoranda related to information security or privacy issues that were issued since December 2007, when\nthe prior audit report was released, including:\n\n    1.\t M-08-23, August 22, 2008, \xe2\x80\x9cSecuring the Federal Government\xe2\x80\x99s Domain Name System\n\n        Infrastructure (Submission of Draft Agency Plans Due by September 5, 2008).\xe2\x80\x9d\n\n\n        FEC legal opinion rendered on March 10, 2010.\n\n    2.\t M-09-02, October 21, 2008, \xe2\x80\x9cInformation Technology Management Structure and Governance\n        Framework.\xe2\x80\x9d\n\n        FEC legal opinion rendered on June 16, 2009.\n\n    3. M-10-23, June 25, 2010, \xe2\x80\x9cGuidance for Agency Use of Third-Party Websites and Applications.\xe2\x80\x9d\n\n        FEC legal review in progress.\n\n    4.\t M-11-02, November 2, 2010, \xe2\x80\x9cSharing Data While Protecting Privacy.\xe2\x80\x9d\n\n        FEC legal opinion rendered on December 6, 2010.\n\nAs is evident from the above, legal reviews are not always conducted on a timely basis. The reason is that\nunless a division or department requests a legal review of new OMB memoranda or Executive Order, the\nOffice of General Counsel does not perform a review. In some cases, the delayed timing for performing a\nlegal review is due to legal resources having higher priorities. As a result of untimely review of the OMB\nmemoranda or Executive Orders, any applicable legal requirement or high risk item in the documents may\n\n                                                 20\n\n\x0cnot be addressed on a timely basis if the affected division or department does take necessary action before\nrequesting or receiving a legal opinion.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        3a.     Develop a process and assign accountability for the proactive and timely identification of\n                new OMB memoranda and Executive Orders to ensure that they are reviewed and\n                referred for legal opinion on a timely basis.\n\n        3b.     Complete legal reviews of OMB memoranda on a more timely basis and consistently\n                communicate the results to the affected stakeholders, with a copy to the co-Chief Privacy\n                Officers.\n\nManagement\xe2\x80\x99s General Response to Finding 3:\n\nIt is true that the Office of General Counsel General Law & Advice Division, Administrative Law Team\nprovides advice most often upon request, as we are not always made aware of OMB memoranda when\nthey are issued. However, there is one notable exception to this rule. Every year in connection with the\nFinancial Statements Audit, the Administrative Law Team conducts a review of all information\ntechnology guidance, laws, and Government-wide rules and regulations passed within the last year. This\ndocumented legal review often includes a review of privacy-related OMB memoranda, since they often\nrelate to information technology. As a result, yearly reviews are conducted on many privacy-related\nguidance.\n\nAdditionally, it cannot be assumed that the timing of a legal review will delay the agency\xe2\x80\x99s compliance.\nA division/office may determine to move forward with the enforcement of OMB guidance without\nseeking legal advice. Finally, as indicated in management\xe2\x80\x99s response to the 2007 audit, management does\nnot solely base its decision to follow, or not follow, OMB guidance on legal exemptions. Even if the\nagency is exempt from following a certain OMB requirement, management may decide to implement it as\na best practice. The decision to implement the requirement is often based on budgetary or resources\nconcerns, not legality.\n\nAuditor Response:\n\nWe acknowledge the annual review process. Our observation and concern is that the FEC as an agency\ndoes not have a formal process to identify, review and address all applicable legal requirements on a\ncontinuous basis regardless of whether the OGC is asked for an analysis. While the agency could take\nactions to comply with any particular legal requirement without legal review, we believe a process to\nidentify and review all applicable requirements will result in greater assurance that the agency is aware of\nand ensures actions on those requirements to achieve compliance.\n\nManagement Response to 3a:\n\nManagement concurs: Management agrees to work with the Office of the Chief Information Officer\n(OCIO) and other stakeholders to develop a process for monitoring and/or processing privacy-related\nOMB memoranda and Executive Orders for legal review, when necessary.\n\n\n\n\n                                                  21\n\n\x0cAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 3b:\n\nManagement concurs in part: We agree that legal review of privacy-related OMB memoranda should\ntake place in a timelier manner, and will look for ways to streamline this process. We note that, with\nrespect to OMB M-08-23, we did not receive a legal review request from OCIO until February 23, 2010,\nand thus the legal review was promptly rendered on March 10, 2010. For OMB M-09-02, legal review\nwas not sought by any of our clients. As a result, Administrative Law was not aware of the memorandum\nuntil it conducted its applicable laws legal review in connection with the Financial Statements Audit.\nAdditionally, while an initial legal assessment was conducted for OMB M-10-23, on July 8, 2010 (one\nday after it was requested), it was determined to be a lower priority to the agency as the Commission is\nnot extensively involved in third party social media sites such as YouTube or Facebook. The\nCommission has recently established a Twitter account. We will reevaluate the memo to determine its\napplicability and requirements with respect to the Commission\xe2\x80\x99s Twitter account.\n\nIt is important to also note that some OMB guidance that is about IT matters may have privacy\nimplications, but may not on its face indicate that it is about privacy. Accordingly, in some instances\nguidance may be provided relatively soon after a client requests it but some time after it is promulgated.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation. We look forward to reviewing the detailed plan on\nhow to streamline the review process in the corrective action plan.\n\nFinding 4: A Current PII Inventory is Not Maintained\n\nAn inventory of FEC systems that contain personally identifiable information (PII) was conducted by\nSolutions Technology Systems, Inc. (STSI) and documented in a report dated May 20, 2009. The report\ncontained many recommendations to enhance the protection of PII in both paper and electronic form. A\nprocess has not been developed, documented and implemented to periodically update the FEC\xe2\x80\x99s inventory\nof PII. Since the report was released more than 18 months ago, the FEC Privacy Team recently prepared\na draft report evaluating the recommendations to determine which will be implemented.\n\nThe FEC Privacy Team created a document titled \xe2\x80\x9cFEC Plan to Review and Reduce Holdings of\nPersonally Identifiable Information and Eliminate Unnecessary Use of Social Security Numbers In\nResponse to OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information.\xe2\x80\x9d This document contains a three phase approach to addressing the\nOMB requirements. The first phase, to identify uses of social security numbers in the agency, was\ncompleted by STSI as noted above. Phase 2 of the plan, to explore alternatives to the collection and use\nof social security numbers, was to be completed by May 2008. Phase 3, implement actions to reduce the\nuse of social security numbers, where feasible, was scheduled to be completed in November 2008. To\ndate, neither phase 2 nor phase 3 have been completed and the plan has not been updated to reflect revised\nimplementation dates. In the Annual Privacy Management Report of the Federal Election Commission\nsubmitted to OMB on November 15, 2010, the Co-Senior Agency Officials for Privacy reported:\n\n        \xe2\x80\x9cThe Co-Chief Privacy Officers intend to move forward with Phases 2 and 3 of the PII Plan,\n        which includes reviewing the proposed recommendations from the Privacy Team, working with\n\n                                                  22\n\n\x0c        agency offices to discuss the alternatives to SSN use discussed in the Phase 1 Report, and\n        implementing those alternatives if approved. The Privacy Team will also monitor the impact of\n        those alternatives on work processes to determine their effectiveness.\xe2\x80\x9d\n\nThe STSI report identified questionable or unnecessary use of social security numbers by form or\ndocument type, and division. The Privacy Team has not provided the information to the divisions with a\nrequest to explain, support or cease questionable use of social security numbers.\n\nConsolidated Appropriations Act of 2005, Section 522 (a) Privacy Officer states:\n\n        Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and\n        data protection policy, including \xe2\x80\x93 (7) ensuring that the Department protects information in an\n        identifiable form and information systems from unauthorized access, use, disclosure, disruption,\n        modification, or destruction.\n\nOMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, dated May 22, 2007, section B.1, Privacy Requirements -Review and Reduce the Volume of\nPersonally Identifiable Information, states:\n\n        \xe2\x80\x9cReview Current Holdings. Agencies must now also review their current holdings of all\n        personally identifiable information and ensure, to the maximum extent practicable, such holdings\n        are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the\n        proper performance of a documented agency function.\xe2\x80\x9d\n\nOMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005, states:\n\n        \xe2\x80\x9cAs is required by the Privacy Act, the Federal Information Security Management Act (FISMA),\n        and other laws and policies, each agency must take appropriate steps necessary to protect\n        personal information from unauthorized use, access, disclosure or sharing, and to protect\n        associated information systems from unauthorized access, modification, disruption or\n        destruction. Agencies are required to maintain appropriate documentation regarding their\n        compliance with information privacy laws, regulations, and policies.\xe2\x80\x9d\n\nFEC Privacy Policies and Procedures, undated, Section VII, Security, states:\n\n        \xe2\x80\x9cThe FEC shall provide security protection for all records that contain personal information\n        maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and confidentiality of the records.\n        The FEC\xe2\x80\x99s security protections for systems that store personal information shall include\n        appropriate administrative, technical and physical safeguards such as:\n\n            1.   Physical security of both hard copy and electronic data;\n            2.   Personnel security for employee and contractor access to data;\n            3.   Network security for data in transit; and\n            4.   Secure and timely destruction of records.\n\n        The security protection afforded each system shall be commensurate with the risk level and\n        magnitude of harm the FEC and/or the record subject would face in the event of a security\n        breach.\xe2\x80\x9d\n\nThere is no requirement to periodically update the inventory of PII that is part of the FEC\xe2\x80\x99s security and\nprivacy governance approach. Completion of the review of the STSI recommendations and execution of\nthe \xe2\x80\x9cFEC\xe2\x80\x99s Plan to Review and Reduce Holdings of Personally Identifiable Information and Eliminate\n\n                                                  23\n\n\x0cUnnecessary Use of Social Security Numbers In Response to OMB Memorandum M-07-16, Safeguarding\nAgainst and Responding to the Breach of Personally Identifiable Information\xe2\x80\x9d was not completed due to\nother priorities, and the fact that Privacy Team members spend only a small portion of their time on\nprivacy matters.\n\nThe lack of an updated current PII inventory prevents the Commission from effectively evaluating and\nensuring the appropriate protection and disposal of PII. Delays in evaluating and implementing\nrecommendations in the STSI report result in continued security risks to PII held by the Commission.\nThe delay in implementing the plan to reduce the use of SSNs, where feasible, results in unnecessary risk\nof PII disclosure and increased effort to identify, protect and securely dispose of the information.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        4a. \t   Update and maintain the inventory of all systems that contain PII for all the divisions. A\n                potential approach is to use the templates created by STSI and have each division update\n                their current listing and implement business processes to continually update the inventory\n                based on new or revised handling and storage of PII. A full review could be conducted\n                by the divisions at least annually and would help support the biennial Privacy Act\n                Systems of Records update process.\n\n        4b. \t   Finalize the evaluation of the STSI recommendations and develop, document and\n                implement a corrective action plan as necessary. Progress against the corrective action\n                plan should be formally and periodically reported to management.\n\n        4c. \t   Provide the Privacy Team\xe2\x80\x99s SSN Reduction Plan Phase 1 report to the applicable division\n                heads, and work with those offices to prepare action plans to address the findings in the\n                report.\n\n        4d. \t   Complete Phase 2 and Phase 3 of the \xe2\x80\x9cFEC\xe2\x80\x99s Plan to Review and Reduce Holdings of\n                Personally Identifiable Information and Eliminate Unnecessary Use of Social Security\n                Numbers In Response to OMB Memorandum M-07-16, Safeguarding Against and\n                Responding to the Breach of Personally Identifiable Information\xe2\x80\x9d as soon as practical.\n                This can be accomplished by providing the STSI results to the divisions and requesting a\n                response on the ability to reduce or eliminate the questionable uses of social security\n                numbers already identified by the contractor.\n\nManagement Response to 4a:\n\nManagement concurs in part: While management concurs in part with this recommendation, we wish\nto correct a statement made in the report. The auditors found that \xe2\x80\x9c[t]here is no requirement to\nperiodically update the inventory of PII that is part of the FEC\xe2\x80\x99s security and privacy governance\napproach.\xe2\x80\x9d This is not true. The \xe2\x80\x9cFEC Plan to Review and Reduce Holdings of Personally Identifiable\nInformation and Eliminate Unnecessary Use of Social Security Numbers In Response to OMB\nMemorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation\xe2\x80\x9d provides for a biennial review of the agency\xe2\x80\x99s PII holdings as well as its SSN holdings and\nSORNs. Additionally, as part of the statement of work for the 2009 PII review, STSI created a proposed\nprocedure for updating the PII inventory. Thus the agency has incorporated inventory updates into its\noverall privacy program. Accordingly, we agree that the PII inventory should be updated but only on a\nbiennial basis (i.e. the next update would be conducted this year).\n\n\n                                                 24\n\n\x0cWith respect to the recommendation that we devolve this responsibility to the system manager level, we\nthink this is a good idea in the abstract, but in order to implement it we see potential issues with buy-in\nand adequate training. A remedy to these issues would of course be essential. Consequently, while we\ncannot commit at this time to such devolution, we can commit to strongly considering it.\n\nAuditor Response:\n\nWe acknowledge that the \xe2\x80\x9cFEC Plan to Review and Reduce Holdings of Personally Identifiable\nInformation and Eliminate Unnecessary Use of Social Security Numbers In Response to OMB\nMemorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation\xe2\x80\x9d does state that a \xe2\x80\x9creview\xe2\x80\x9d of PII will be conducted every two years. If the review includes\nupdating the PII inventory we agree that a plan is in place. We look forward to reviewing the results of\nthe consideration of devolving the inventory responsibilities and the planned timeline for such\nconsideration in the corrective action plan.\n\nManagement Response to 4b:\n\nManagement concurs: We agree with this recommendation and are already in the process of finalizing\nthe Privacy Team\xe2\x80\x99s analysis of the PII Review Assessment Report. Upon approval of the Privacy Team\xe2\x80\x99s\nrecommendations by the Chief Privacy Officers, the Privacy Team will develop a corrective action plan\naimed at addressing the deficiencies found in the review.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 4c:\n\nManagement concurs: We agree with this recommendation and will work with affected offices to\nprepare action plans to address the SSN Phase 1 Report recommendations once they have been approved\nby the Chief Privacy Officers.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 4d:\n\nManagement concurs in part: We agree to complete Phases 2 and 3 of the plan as soon as practical, but\nbelieve this can best be accomplished by disclosing the findings of the Privacy Team\xe2\x80\x99s SSN Reduction\nPlan Phase 1 report to the applicable division heads, and working with those offices to prepare action\nplans to address the findings in the report as recommended in Finding 4c.\n\nAuditor Response:\n\nWe agree that the recommendation in 4c should be completed first and encourage Phase 1-3 of the plan to\nbe completed as quickly as practical as they are significantly behind schedule.\n\n\n\n\n                                                   25\n\n\x0cFinding 5: Current Risk Assessments of Systems Containing PII Are Not Performed\n\nSince the 2007 Privacy and Data Protection Audit report was released, the Commission contracted for\nsecure destruction containers and placed them throughout the building. This allows employees to\nsecurely dispose of paper and electronic medium that contains PII or other sensitive information. In\naddition, vulnerability and penetration tests of certain computer applications were conducted in 2009 and\n2010. This annual process provides a point in time view into any application and network vulnerabilities,\nhowever, these vulnerabilities can change quickly over time. Further, contractors performed a\ncomprehensive risk assessment in 2008 for the Administrative Fines, Case Management,\nComprizonBuy/ComprizonSuite, Disclosure System, Presidential Matching Funds, PeopleSoft, and the\nFEC Local Area Network (LAN) using the NIST SP 800-30, Risk Management Guide for Information\nTechnology Systems4 framework. The risk assessments did include an evaluation of remote access to the\nFEC LAN, which management informed us is the only approved way to remotely access the FEC\nnetwork. However, the risk assessments did not assess PII protection needs of all systems containing PII,\nand, since that time, no additional risk assessments have been conducted. The existing risk assessments\nhave not been reviewed or updated for changes in agency systems.\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, states:\n\n         \xe2\x80\x9cAs is required by the Privacy Act, the Federal Information Security Management Act (FISMA),\n         and other laws and policies, each agency must take appropriate steps necessary to protect\n         personal information from unauthorized use, access, disclosure or sharing, and to protect\n         associated information systems from unauthorized access, modification, disruption or\n         destruction. Agencies are required to maintain appropriate documentation regarding their\n         compliance with information privacy laws, regulations, and policies\xe2\x80\x9d.\n\nFEC Risk Management Policy, 58-2.1 states:\n\n         \xe2\x80\x9cc. A risk assessment framework should be established to ensure that risks to FEC electronic\n         information and computing resources are regularly assessed. This framework should be designed\n         to provide a basis for determining how technical, administrative, physical, and operational risks\n         can be managed to an acceptable level;\n\n         d. The risk assessment framework should provide for risk assessments on a recurring basis, in\n         accordance with applicable federal guidance; risk assessment information should be updated\n         with results of audits, inspections and identified incidents;\xe2\x80\x9d\n\nThe FEC does not have a requirement to perform periodic risk assessments related to PII. The lack of\nperiodic risk assessments which specifically assess PII protection needs prevents the FEC from knowing\nif PII is being appropriately safeguarded.\n\n\n\n\n4\n  This guide provides a foundation for the development of an effective risk management program, containing both\nthe definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.\nIn addition, this guide provides information on the selection of cost-effective security controls. These controls can\nbe used to mitigate risk for the better protection of mission-critical information and the IT systems that process,\nstore, and transmit this information.\n                                                       26\n\n\x0cRecommendations\n\nWe recommend that the FEC:\n        5a. \t   Conduct a risk assessment annually for all existing and new applications that collect,\n                process, transmit or store PII. If PIAs were performed, a risk assessment component\n                could be built into that process to accomplish both the PIA and risk assessment\n                recommendations.\n        5b. \t   Prepare a documented corrective action plan for any deficiency noted for each risk\n                assessment performed and report progress periodically until all corrective actions are\n                implemented. The corrective action plan should be approved by management.\n        5c. \t   Include all systems containing PII that are being retired in the risk assessments and\n                develop action plans to ensure the proper transfer of PII to a new system or the secure\n                destruction of the PII in the retired system.\n\nManagement Response to 5a:\n\nManagement concurs in part: We appreciate the auditors\' clarification on February 3, 2011 that this\nrecommendation relates to electronic systems containing PII, and any paper or electronic documents that\ncan be generated from those systems. Based upon this clarification, management does not believe that an\nannual comprehensive formal risk assessment of such systems is necessary. However, we can agree to\nconduct an informal risk assessment in connection with the biennial PII Review similar to that conducted\nby STSI, since that review focuses specifically on PII in both electronic and paper systems.\n\nAuditor Response:\n\nWhile an informal documented risk assessment would be an improvement from the current state, we view\nthe process conducted by STSI as a formal review and encourage the FEC Privacy Team to follow a\nsimilar process. We look forward to reviewing the details regarding the timing and nature of the planned\nrisk assessment in the corrective action plan.\n\nManagement Response to 5b:\n\nManagement concurs in part: In connection with the biennial PII Review, management agrees to\nprepare an informal, but documented, assessment of its findings from the review, as well as recommended\naction items to address any deficiencies found during the review. Management does not agree to prepare\nand conduct such an assessment outside of the biennial PII Review process.\n\nAuditor Response:\n\nA documented corrective action plan should be prepared for each deficiency noted in any risk assessment\nregardless of whether the risk assessment is formal or informal or when the risk assessment is performed.\n\nManagement Response to 5c:\n\nManagement concurs in part: Management concurs with the need to ensure PII in retired systems is\nsecurely transferred, and to that end we agree to develop documented procedures addressing this issue.\nHowever, we disagree that this process requires a risk assessment, and note that we already have policies\nand standards in place that address the destruction and security of PII in retired systems (e.g., Media\nDisposal Standard and Policy 58-4.2 Media Management Security Policy).\n\n\n\n                                                  27\n\n\x0cAuditor Response:\n\nWe agree that documented procedures that are followed to ensure the secure transfer or destruction of PII\nin retired systems is sufficient and a risk assessment would not be necessary. We look forward to\nreviewing the details about the development of these procedures in the corrective action plan.\n\nFinding 6: Mobile Computing Policy, Device Encryption and Controls\n\nFEC Policy\n\nFEC Mobile Computing Security Policy, Policy Number 58-4.3, states:\n\n        \xe2\x80\x9cAll laptops that access the FEC Local Area Network (LAN) will be required to employ whole\n        hard drive encryption.\xe2\x80\x9d\n\nOMB M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006 states:\n\n        \xe2\x80\x9cencrypt all data on mobile computers/devices which carry agency data unless the data is\n        determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may\n        designate in writing.\xe2\x80\x9d\n\nThe policy and OMB requirement is not followed for all FEC laptops. Contrary to OMB and the FEC\xe2\x80\x99s\nown guidance, the FEC\xe2\x80\x99s current practice is to only encrypt laptops that leave the building. Further, the\nprimary control to prevent any laptop device from leaving the building is issuance of a FEC property pass\nauthorizing removal. This control is insufficient and relies on physical enforcement by the FEC security\nguards, whereby the guards may stop employees/contractors leaving the building, or\nemployees/contractors voluntarily indicate to the guards that they have a computer and a current property\npass as they leave the building. It is possible, however, that laptops without property passes can be\nremoved from the building through the main entrance or from the exit to the parking garage and not be\nnoticed. For example, a FEC contractor routinely brings a non-FEC laptop with a property pass into the\nbuilding and leaves the building through the main entrance. The contractor has never been asked by the\nsecurity guards whether he has a mobile device in his bag or asked to display the property pass. Given\nthe FEC\xe2\x80\x99s building and security configurations, laptops, which may or may not be encrypted, could be\nstolen and easily removed without detection. Laptops are a prime target for theft because they can be\neasily sold for cash to pawn shops or other individuals over the internet. A stolen or lost unencrypted\nFEC laptop containing PII or sensitive information could create a significant liability for the agency. For\nthis reason, the data on all FEC laptops and mobile devices should be encrypted as stated in the FEC\npolicy.\n\nControls to Prevent Access by Non-Encrypted Devices\n\nThe 2007 Performance Audit of Privacy and Data Protection audit report recommended that the FEC\nimplement technical and/or policy controls to prevent local or remote access to Commission resources by\nnon-encrypted devices. In response to the recommendation, management stated it planned to implement a\nnetwork control device in fiscal year 2008. The device would \xe2\x80\x9cdeny or restrict access to the FEC\xe2\x80\x99s\nnetwork for devices not in compliance with the FEC\xe2\x80\x99s policies and minimum settings.\xe2\x80\x9d\n\nFEC Mobile Computing Security Policy, Policy Number 58-4.3, states:\n\n        \xe2\x80\x9cAll staff/contractors who are issued a FEC laptop are authorized for remote access, i.e. (VPN\n        and Dial-up)\xe2\x80\x9d.\n\n                                                  28\n\n\x0cFEC System Integrity Policy, 58-4.6, states:\n\n        \xe2\x80\x9cInformation System Monitoring Tools and Techniques\n\n        (a) System Owners shall employ automated tools to support near-real-time analysis of events,\n        when feasible.\n\n        (b) System Owners shall ensure information systems monitor inbound and outbound\n        communications for unusual or unauthorized activities or conditions (e.g., the presence of\n        malicious code, the unauthorized export of data, or signaling to an external information\n        system)\xe2\x80\x9d.\n\nFEC Privacy Protection Policies and Procedures, undated, states:\n\n        \xe2\x80\x9cI. Co-Chief Privacy Officers/Co-Senior Agency Officials for Privacy\n\n        The Co-Chief Privacy Officers and Co-Senior Agency Officials for Privacy are responsible for:\n\n        Assuring that the Commission\xe2\x80\x99s use of technologies sustains, and does not erode, privacy\n        protections relating to the use, collection, and disclosure of information in an identifiable form;\xe2\x80\x9d\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, states:\n\n        As is required by the Privacy Act, the Federal Information Security Management Act (FISMA),\n        and other laws and policies, each agency must take appropriate steps necessary to protect\n        personal information from unauthorized use, access, disclosure or sharing, and to protect\n        associated information systems from unauthorized access, modification, disruption or\n        destruction. Agencies are required to maintain appropriate documentation regarding their\n        compliance with information privacy laws, regulations, and policies.\n\nIn the most recent corrective action plan provided for the Privacy follow-up audit, the Privacy Team\nstated the network control device \xe2\x80\x9chas not been implemented, however we have implemented policies and\nprocedures to prevent access from non-encrypted laptops either locally or remotely.\xe2\x80\x9d According to FEC\nmanagement, a network control device was not implemented due to resource constraints, feasibility\nconcerns, and it was deemed not to be cost-effective.\n\nAs noted above, only devices that are expected to leave the building are encrypted and the FEC does not\nmaintain complete records, by device, listing which mobile computers are or are not encrypted. While\nthere is limited information on device encryption, however, the information is not used to monitor or\nenforce the policy that all laptops that access the LAN \xe2\x80\x9cemploy whole hard drive encryption.\xe2\x80\x9d Detailed\ntesting showed unencrypted devices access agency networks both locally and remotely. Further, the\nagency is not able to adequately track mobile devices that can access FEC networks. Refer to the sections\non Mobile Device Inventory Listing and Policy Exceptions below. As such, we find that neither technical\nnor compensating controls have been implemented to prevent local or remote access to FEC networks by\nunencrypted devices.\n\nMobile Device Inventory\n\nAs part of our testing compliance with the FEC Mobile Computing Security Policy, 58-4, we requested a\nlisting of all mobile devices issued to staff and contractors. The initial listing provided appeared to be\nincomplete based on our review for recent purchases of Apple computers, iPads, and laptop computers\n\n                                                  29\n\n\x0cissued to staff in the Office of the Inspector General. Therefore, a second listing was provided on January\n11, 2011 with an assurance by management that the listing was complete and accurate, except for the\niPads that had been recently purchased and issued, but not yet added to the inventory listing. Review of\nthat updated listing again indicated it also might not be complete or accurate. We compared the second\nmobile device listing to the FEC staffing report at December 18, 2010 and identified 79 employees with\nno assigned mobile computers (i.e. Apple MacBook, Acer netbook, Dell laptop, or Apple iPad). The\nlisting seemed inconsistent with roles, responsibilities, or grade level of many of the 79 individuals and\nthe expectation that these individuals would have a mobile device based on their job function. Therefore,\nwe judgmentally surveyed 28 of the 79 listed employees and requested they respond to whether they\ncurrently have mobile computing devices issued by the FEC, and if so, to provide the barcode if it was\navailable. Twenty-four (24) responded and most indicated they had been issued mobile computing\ndevices. Seven (7) of those responding had more than one device. One person had four laptop\ncomputers, none of which were included on the FEC\xe2\x80\x99s inventory listing. One respondent had two\nMacBooks, neither of which contained a barcode. Only two (2) of the 28 employees surveyed responded\nthat they did not have a mobile computing device. In total, thirty-three (33) mobile computers were\nidentified through our survey which were not included on the second asset listing provided. Our review\nof the details provided by some employees surveyed showed data collected via barcode scanner during\nthe FEC\xe2\x80\x99s annual wall-to-wall inventory in July 2010 was not uploaded to the inventory listing; this\nappears to be at least one reason why the inventory listing is inaccurate.\n\nWe also noted several former employees and former contractors were included in the asset listings\nprovided for the follow-up audit. The second asset listing had four (4) former contractors and five (5)\nformer employees listed as still having mobile devices. One of the former employees listed left the FEC\nin August 2008, while another left in August 2009. We identified several other employees and\ncontractors who left the agency between September and December 2010, and the asset listing was not\nupdated to reflect the current location of the mobile devices assigned to the former employees/contractors.\n\nBased on initial audit results reported to management, a third asset listing was provided, along with a\nsystem report of FEC users and devices encrypted. The \xe2\x80\x98listing of encrypted devices\xe2\x80\x99 had 209 records\nwhich could be linked, by barcode, to a specific mobile computing device. However, the \xe2\x80\x98asset listing\xe2\x80\x99\nhad 4965 mobile computing devices which, according to the FEC policy, should be encrypted if issued to\nstaff or contractors. Comparing the listing of encrypted devices to the asset listing provided the following\nresults:\n\n    \xe2\x80\xa2\t Of the 209 listed encrypted devices, 186 encrypted devices were matched to mobile devices\n       included on the asset listing, including one desktop system. Review of the desktop system\n       showed encryption was not installed. This indicates at least one encryption record is not accurate.\n\n    \xe2\x80\xa2\t Of the 209 listed encrypted devices, there were 23 devices which could not be linked to mobile\n       devices included on the asset listing. These items were compared to asset disposal records from\n       2010, but it does not appear the items were disposed of by the agency. This indicates the third\n       and most recent asset listing provided is not complete or accurate.\n\n    \xe2\x80\xa2\t Of the 496 mobile computers included in the third asset listing, there were 314 mobile devices\n       that could not be linked, by barcode number, to encryption records. Based on a statement by ITD\n       staff that the FEC has approximately 500 encryption licenses, it is likely the majority of the\n       devices are encrypted, however there is no way to verify the encryption status the majority of\n       FEC mobile computing devices without physically reviewing the device.\n\n\n\n5\n The count is exclusive of Apple iPads mobile computing devices that are not encrypted and are undergoing test and\nevaluation by the FEC ITD division.\n                                                     30\n\n\x0cIn order to further assess whether the FEC has a complete and accurate list of all encrypted mobile\ndevices, we reviewed asset purchases and identified purchases of Dell D630 model laptops issued to FEC\nemployees and contractors. One hundred and fifty (150) D630 computers were purchased in November\n2007 and another one hundred (100) were purchased in August 2008, for a total of two hundred-fifty\n(250) computers. The first asset listing provided during the audit had 213 D630 laptops, the second\nlisting 221, and the third asset listing provided showed 232 D630 laptops were issued to FEC employees\nand contractors. Our review of the agency\xe2\x80\x99s computer asset storage areas and ITD staff offices located\nanother six (6) D630 laptops, and another two (2) were identified by reviewing the 2010 inventory scan\nlisting for contractors. In total, ten (10) D630 computers were not located and could not be accounted for.\nBecause the annual wall-to-wall inventory performed does not begin with a reconciliation of asset\npurchases to the fixed asset listing, the FEC may be missing any number of computer assets which are\nundetected.\n\nThe inability to produce a complete and accurate listing of all mobile devices appears to be due to a defect\nin the design or use of the fixed asset accounting system for mobile devices. Because of the lack of an\naccurate, updated inventory, the FEC cannot state with reasonable certainty that all mobile devices\npurchased and in use are encrypted, in accordance with the stated policy, and there may not be an\nadequate record of the current location or to whom the mobile devices are issued. Further, because the\nasset listing is not reconciled to assets purchased, or adequately maintained, the FEC must rely on\nemployees reporting theft or loss to adequately control computer equipment. Lost or stolen devices could\nbe used to gain unauthorized access to FEC systems that contain PII and the FEC may be unable to\ndetermine whether a breach of PII has occurred.\n\nExceptions to FEC Encryption Policy\n\nThe FEC grants exceptions to the policy requiring all laptops be encrypted, and all mobile devices be\nencrypted and/or password protected.\n\nApple MacBooks\n\nDuring the 2007 Privacy and Data Protection Audit, the FEC had fourteen (14) Apple MacBooks and\nthree (3) other laptop computers that were not encrypted. During this follow-up, because the initial asset\nlisting provided did not include Apple computers, we specifically requested information on MacBook\ncomputers issued to staff and contractors, and whether or not the devices were encrypted. We were\ninformed that thirteen (13) devices were issued to employees and that the devices were encrypted and had\nSecuriKeys; an additional three (3) MacBook devices were issued to ITD staff but not encrypted due to\n\xe2\x80\x9ctesting purposes and are not removed from the building.\xe2\x80\x9d FEC staff stated that exceptions to the policy\nthat all laptops have encryption could only be made by the CIO. We note, however, that the policy does\nnot stipulate: that exceptions are allowed; whether a documented risk assessment is required before\ngranting an exception; who may approve the exception; or how the requests and approval of exceptions\nare to be documented. There were no documents to support the policy exceptions for mobile devices that\nwere not encrypted noted during this follow-up audit.\n\nWe met with one of the Information Technology Division (ITD) employees issued an unencrypted\nMacBook who explained that encryption was not installed on the computer because no licenses were\navailable at the time. The employee further explained that encrypting the device would have had no\nimpact on device use and testing performed. The employee stated that the device was taken out of the\nFEC and used to access the network remotely. The device has since been encrypted and verified by\nauditors through direct observation. We were informed the other two MacBooks are scheduled for\nencryption once the employees bring them from home.\n\n\n\n                                                  31\n\n\x0cThe January 2011 asset listing showed fourteen (14) employees were issued MacBooks. The following\ndifferences were noted between that inventory listing and the email provided by management listing the\nencrypted and unencrypted MacBooks in December 2010:\n\n    \xe2\x80\xa2\t Three Information Division employees listed as having MacBooks in the email were not included\n       on the asset listing;\n    \xe2\x80\xa2\t One of these three employees has since responded to the audit inventory survey and stated they\n       have two MacBooks, an older model and a new model. Both devices are barcoded. It appears\n       some Information Division employees may have been issued laptops several years ago and those\n       devices are not reflected in the asset listing or the 2010 inventory; and\n    \xe2\x80\xa2\t Three employees with four (4) total MacBooks were included in the asset listing but not in the\n       email describing which MacBook devices were or were not encrypted.\n    \xe2\x80\xa2\t The asset listing does not reflect the three ITD staff described in the email as issued unencrypted\n       MacBooks.\n    \xe2\x80\xa2\t None of the three asset listings provided nor the December 2010 email reflected two MacBooks\n       held by one Information Division employee. The devices were not barcoded or encrypted6.\n\nThe FEC purchased one (1) MacBook on February 26, 2010 and twenty (20) MacBooks on September 20,\n2010. It is unclear how many MacBooks were previously purchased and issued to FEC staff and whether\nor not the devices were or were not encrypted. The discrepancies noted with the various asset listings\nindicate a complete inventory, based on agency purchases and disposals, is required.\n\nApple iPads\n\nThere are also seven mobile iPads being evaluated by the ITD that connect to the FEC network, are\nremoved from the building and are not encrypted. The devices are not barcoded and are not included in\nthe fixed asset listing7. These devices also have AT&T wireless data plans for six months. There is no\ndocumented approval for the iPad exception from the encryption policy, but ITD staff pointed out that the\nassets have the ability to be remotely wiped if the devices are reported lost or stolen. We were informed\nthat the devices were password protected. Management represented that the password requirements for\niPads is being evaluated and currently a 4 digit personal identification number (PIN) is the only\nrequirement. In order to protect FEC data, we were told that staff issued iPads were verbally instructed to\nnot save FEC information to the device.\n\nWe performed a quick query with Apple on iPad security features and learned that the device includes\nnumerous security features, to include imbedded encryption (\xe2\x80\x9ciPad in Business Security Overview\xe2\x80\x9d\npublished in April 2010 by Apple). Based on the information provided by ITD staff testing the devices, it\nappears an inadequate risk assessment and security research was performed for these devices prior to\ngranting access to FEC networks. Instead, there was a reliance on verbal instructions to not download\nany FEC data on these devices.\n\nBlackberrys\n\nFEC Mobile Computing Security Policy, Policy Number 58-4.3, also states:\n         \xe2\x80\x9cAll mobile computing devices including Blackberries and Palm Pilots must be encrypted and/or\n         password protected.\xe2\x80\x9d\n\n\n\n6\n  Since initially reporting this finding to management, the newest MacBook issued to the employee has been\n\nencrypted and barcoded. The older MacBook has been returned to ITD for secure disposal. \n\n7\n  The devices have since been barcoded and were included in the third asset listing provided by management. \n\n                                                      32\n\n\x0cThis statement in the policy is not clear on which devices may be only password protected, compared to\nothers that must be encrypted and password protected. This standard is inconsistent with the statement\non page 2 of the same policy that:\n\n        \xe2\x80\x9cAll laptops that access the FEC Local Area Network (LAN) will be required to employ whole\n        hard drive encryption.\xe2\x80\x9d\n\nBlackberrys assigned to FEC employees and contractors are not encrypted. These devices are password\nprotected and there is the ability to remotely \xe2\x80\x9cwipe\xe2\x80\x9d a Blackberry if it were reported lost or stolen.\nBlackberrys can and should be encrypted and password protected to the same standards as other mobile\ncomputing devices.\n\nThe FEC did not fully implement OMB M-06-16, Protection of Sensitive Agency Information, due to\nconcerns about the amount of system overhead resulting from Blackberry encryption. The lack of\nencryption on all laptops, iPads, and Blackberrys places the data resident on these devices, which could\ninclude PII or FEC sensitive information, at greater risk of unauthorized disclosure if the devices are lost\nor stolen. The consequences could then be:\n\n    \xe2\x80\xa2   damage to the individuals whose personal information was disclosed;\n    \xe2\x80\xa2   adverse media coverage and embarrassment for the FEC and potential Congressional inquiry;\n    \xe2\x80\xa2   financial consequences to address an unauthorized disclosure of information; and\n    \xe2\x80\xa2   potential litigation.\n\nEncryption Passphrases for Contractors\n\nWe were informed by the Information Systems Security Officer that encrypted laptops assigned to\ncontractors use an encryption passphrase assigned by the FEC. This is done to allow access to the\ninformation on the laptop if the contractor suddenly or unexpectedly departed the FEC. This process\ndiffers from that of FEC employees, who choose their own unique passphrase. Based on mobile devices\nassigned to contract auditors as part of another follow-up audit, it appears the same passphrase is used for\nall contractors. The passphrase assigned to contractors is not suitably complex, is relatively intuitive, and\ncould be easily guessed or \xe2\x80\x9chacked\xe2\x80\x9d by using basic password detection or \xe2\x80\x9ccracking\xe2\x80\x9d software. The lack\nof a unique secret passphrase for each individual increases the risk that the data on that laptop could be\naccessed by an unauthorized individual.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        6a. \t   Modify the Federal Election Commission Mobile Computing Security Policy, 58-4, to\n                require all mobile devices, including Blackberrys, be encrypted.\n        6b.     Revise Federal Election Commission Mobile Computing Security Policy, 58-4 to specify\n                when any exceptions to policy may occur, who may approve the exception, the risks to\n                PII if an exception is granted and any compensating controls, and the level of\n                documentation required to support the exception.\n        6c. \t   Record all mobile computing devices in inventory when received.\n        6d. \t   Perform a review of the process and systems used to maintain the inventory of mobile\n                devices to ensure that they are appropriately designed to maintain a complete and\n                accurate inventory. A complete physical inventory of all mobile devices purchased less\n\n\n                                                   33\n\n\x0c                 those disposed should be performed and reconciled to the existing mobile device\n                 inventory listing.\n        6e.      Include a record in the inventory listing of whether the device is encrypted or not.\n        6f.      Implement a process and form requiring employees and contractors to sign when they\n                 receive a mobile device acknowledging their receipt of the asset and maintain a record of\n                 these sign-offs.\n        6g.      Implement an alternative to assigning a generic laptop encryption passphrase to\n                 contractors so that every contractor has a unique self selected passphrase, while\n                 maintaining the ability to decrypt the stored data in the event of an unexpected departure.\n                 The ability to recover unencrypted data of an employee should also be in place.\nFurther Information on Encryption\n\nThere have been significant advances in encryption efficiency over the past few years. Encryption, when\nproperly implemented can provide reasonable security to protect data from unauthorized disclosure.\nImplementing the recommendation to encrypt all mobile devices would provide consistency with OMB\nM-06-16 dated June 23, 2006 which states \xe2\x80\x9cencrypt all data on mobile computers/devices which carry\nagency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an\nindividual he/she may designate in writing.\xe2\x80\x9d In addition, encryption can provide an organization a safe\nharbor in the event of a security breach. For example, Senate bill S.139 \xe2\x80\x93 \xe2\x80\x9cData Breach Notification\nAct\xe2\x80\x9d provides that the notification to affected individuals would be required unless a risk assessment\nconcludes that there is no significant risk that a security breach has resulted in, or will result in, harm to\nthe individual whose sensitive PII was subject to the security breach. There will be a presumption that no\nsignificant risk of harm to the individual whose sensitive PII was subject to a security breach if such\ninformation was encrypted. There is also a presumption of no significant risk or harm if the data was\nrendered indecipherable through the use of best practices or methods, such as redaction, access controls,\nor other such mechanisms, that are widely accepted as effective industry practice, or an effective industry\nstandard. While this and similar bills have not passed into law as of yet, encryption of all mobile devices\nwill allow the FEC to proactively address a likely legal protection for the future, as well as avoid an\nembarrassing event if an unencrypted mobile device with PII was lost or stolen and the PII was exposed\nor misused.\n\nManagement\'s General Response to Finding 6:\n\nPrior to responding to the specific recommendations, we would like to generally respond to some of the\nstatements made for this finding. While we concede that the physical inventory process could be\nimproved, an audit of this process was recently completed during the Inspector General\xe2\x80\x99s Audit of the\nCommission\xe2\x80\x99s Property Management Controls. We respectfully suggest that pure inventory control\nissues were more appropriately within the scope of that audit than this one, and we therefore defer to\nmanagement\xe2\x80\x99s responses to that audit where the findings in this report overlap. Also, the report contains\nmany comments regarding unnamed employees who are in receipt of multiple laptops or mobile devices.\nHowever without knowing the names of these employees we cannot make a determination as to whether\nthey possess the multiple devices for legitimate business reasons. For instance, several IT personnel\npossess multiple laptops for various legitimate technological testing purposes. In order to ensure the\naccuracy of those tests it is necessary that these employees maintain multiple devices, often times with\ndiffering security controls. Thus, the fact that an employee possesses multiple devices is not in and of\nitself a privacy or security danger.\n\nAuditor Response:\n\nIncluded in the scope of this review was testing of a sample of laptops to verify that encryption was\ninstalled on these devices in accordance with current FEC policy. To select a sample of devices for\n                                                   34\n\n\x0ctesting from which we could draw a valid conclusion, we required a complete and accurate listing of\nlaptops. For this reason, the laptop inventory listing was part of the scope. The original and revised\nlistings provided to us contained numerous inaccuracies. As a result, we could not determine with a high\ndegree of precision how many laptops exist at the FEC or to whom, if anyone, they were assigned.\nTherefore, we were not able to rely on these listings for testing. We acknowledge that multiple devices\ncan be assigned to an employee; however, these devices should all be properly recorded in the inventory.\nWe will provide all the details we have documented to management. We look forward to reviewing the\nresults of management\xe2\x80\x99s review of the inventory records and explanation of whether employees with\nmultiple devices are for legitimate business reasons.\n\nManagement Response to 6a:\n\nManagement concurs in part: Management agrees that encryption is a powerful tool in protecting\nsensitive information from breach. However, because the encryption process is tied to an individual user\n(e.g., an encrypted device requires that the user enter a unique passphrase and password tied to the\nindividual in order to get into the laptop) encryption would not be practical for a device that is used by\nmultiple people (e.g., laptops attached to scanners). For that reason, management agrees to ensure that all\nunencrypted laptops will be locked and secured with a security cable so as to prevent removal from the\nbuilding. All other laptops (i.e. those assigned to a specific user) will be encrypted. With respect to\nBlackberries, it is our understanding that the transfer of information to Blackberries is encrypted while in\ntransit, and that the Blackberries were recently updated to include encryption at rest. Management will\ncontinue to investigate mechanisms for securing other mobile devices. It should be noted that the OCIO\nhas the ability to conduct remote wipes of information on mobile devices so as to minimize the effects of\na loss. Finally, Management also agrees to modify its Mobile Computing Policy to accurately reflect its\nencryption practices.\n\nAuditor Response:\n\nWe encourage management to confirm that the encryption functionality is activated for all FEC\nBlackberry devices. We also look forward to reviewing the details regarding the timing of the policy\nupdate in the corrective action plan. The agency\xe2\x80\x99s planned action is responsive to the audit issue\nidentified and when fully implemented, should satisfy the intent of the audit recommendation.\n\nManagement Response to 6b:\n\nManagement concurs in part: We do not agree that exceptions to the Mobile Computing Security\nPolicy should be noted in the policy itself, since exceptions are rare and are granted on a case-by-case\nbasis. We do agree that the policy should be revised to reflect that exceptions to the policy must be\ngranted by the CIO. We do not agree to specify risks to PII if an exception is granted, since that is\nalready a component of the FEC\xe2\x80\x99s Certification & Accreditation program. Nor do we believe it is\nappropriate to include specific risks to PII, if an exception is granted, in this policy document since the\nrisks will depend on the specific exception and the facts warranting the exception. We do however intend\nto inform those that are granted an exception of the risks to PII associated with the exception granted.\n\nAuditor Response:\n\nWe are not recommending that the policy be modified to describe specific exception scenarios, but that\nthe process by which an exception is requested, approved/denied and documented be a matter of policy.\nWe believe it is important to consider the risks to PII for every exception request as they will vary on a\ncase-by-case basis and may not have necessarily been considered as part of the FEC\xe2\x80\x99s Certification &\nAccreditation program.\n\n\n                                                  35\n\n\x0cManagement Response to 6c:\n\nManagement does not concur: Management respectfully believes that this finding goes beyond the\nscope of this audit, and refers to its General Response to Finding 6. To the extent this finding relates to\nthe securing of data on mobile devices, we agree that encryption can be used for that purpose and refer the\nauditors to our response to 6a.\n\nAuditor Response:\n\nSee Auditor Response to Management\xe2\x80\x99s Response to Finding 6 and 6a.\n\nManagement Response to 6d:\n\nManagement does not concur: Management respectfully believes that this finding goes beyond the\nscope of this audit, and refers to its General Response to Finding 6. To the extent this finding relates to\nthe securing of data on mobile devices, we agree that encryption can be used for that purpose and refer the\nauditors to our response to 6a.\n\nAuditor Response:\n\nSee Auditor Response to Management\xe2\x80\x99s Response to Finding 6 and 6a.\n\nManagement Response to 6e:\n\nManagement does not concur: Management agrees to review its inventory process to determine\nwhether it is necessary to combine the inventory list and the encryption list to ensure the protection of PII\ninformation.\n\nAuditor Response:\n\nWe believe that maintaining a record of whether the device is encrypted in the inventory list will allow\nmanagement to quickly know if a lost or stolen device was encrypted, which is necessary to understand\nthe resulting risk to the information that was stored on the device. We look forward to reviewing the\ndetails in the corrective action plan for improvements to the inventory process.\n\nManagement Response to 6f:\n\nManagement does not concur: Management respectfully believes that this finding goes beyond the\nscope of this audit, and refers to its General Response to Finding 6. To the extent this finding relates to\nthe securing of data on mobile devices, we agree that encryption can be used for that purpose and refer the\nauditors to our response to 6a.\n\nAuditor Response:\n\nSee Auditor Response to Management\xe2\x80\x99s Response to Finding 6 and 6a.\n\nManagement Response to 6g:\n\n\nManagement concurs: Management agrees to provide contractors with unique passphrases for laptops.\n\n\n\n\n\n                                                   36\n\n\x0cAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nFinding 7: Safeguards Over Sensitive Agency Information and PII Need Improvement\n\nWe performed an after-hours walkthrough of the Commission building on November 10, 2010 and\nJanuary 19, 2011, and noted some improvements since the prior walkthrough performed by Cotton &\nCompany and OIG staff in November 2007, such as:\n\n    \xe2\x80\xa2\t      Many offices were locked, effectively securing the contents from other employees,\n            contractors or visitors, but not facility maintenance or cleaning staff that have a master key\n            for all locks.\n    \xe2\x80\xa2\t      There were secure shred bins and shredders throughout the building. The secure shred bins\n            were padlocked.\n\nDuring the walkthrough, we also identified several instances where sensitive information and PII was\neasily accessible to unauthorized personnel. We concluded that controls are not adequate to ensure that\nsensitive information, including personally identifiable information (PII) collected, processed, or stored\nby the FEC has been adequately safeguarded. Specific examples of weaknesses observed include:\n\n    \xe2\x80\xa2\t Individuals\xe2\x80\x99 applications for FEC employment containing names, addresses, phone numbers, and\n       social security numbers were located in an unsecured office.\n    \xe2\x80\xa2\t Confidential blue folders possibly containing sensitive information or PII were in unsecured areas,\n       such as in common area mail slots and on desks in common areas.\n    \xe2\x80\xa2\t FEC employee and contractor PII was noted in unclaimed print jobs near common area printers in\n       unsecured areas.\n    \xe2\x80\xa2\t Some employees left their personal mail including credit card statements, bank statements,\n       medical insurance information, and utility bills, etc. in plain view. One employee left their\n       Federal credit card statement in plain view. This observation is potentially indicative of a lack of\n       understanding of the importance of protecting not only employees\xe2\x80\x99 own personal PII, but also the\n       PII that has been entrusted to the FEC.\n    \xe2\x80\xa2\t Modular workspaces and unlocked offices often had unsecured laptop computers that contained\n       SecuriKeys (a hardware device that is inserted into the computer and is a second factor of\n       authentication, in addition to the user ID and password), including a number of Apple laptops.\n       None of the Apple laptops had a security cable attached to prevent someone from taking the\n       laptops outside the building.\n    \xe2\x80\xa2\t One employee left a post-it note with an encryption pass phrase, network log-on, and password\n       on their desk. Passwords on post-it notes were also noted for several employees in one division.\n    \xe2\x80\xa2\t Filing cabinets located in common storage areas for one division was deliberately left unlocked.\n       Some had keys taped to the cabinets while others had the locks disabled with masking tape.\n       Contents of many cabinets included documents marked \xe2\x80\x9csensitive.\xe2\x80\x9d\n    \xe2\x80\xa2\t \xe2\x80\x9cMatters Under Review\xe2\x80\x9d (MURs) and other sensitive work product documentation was found in\n       unsecured areas, such as on employees\xe2\x80\x99 desks and in unlocked common area cabinets. Typically,\n       the work products did not contain security classification labels such as \xe2\x80\x9csensitive\xe2\x80\x9d or\n       \xe2\x80\x9cconfidential,\xe2\x80\x9d but should have, to reflect the confidentiality of the information.\n    \xe2\x80\xa2\t FEC confidential and proprietary documents produced by three different contractors as part of\n       their service to the FEC were left unsecured in modular work space for up to two years. Some of\n       the documents contained process flow diagrams for FEC applications and assorted procedural\n       documents. Some of the documents were labeled \xe2\x80\x9cConfidential\xe2\x80\x9d and \xe2\x80\x9cConfidential Do Not\n       Distribute,\xe2\x80\x9d while others appeared sensitive but were not labeled.\n                                                   37\n\x0cFEC Privacy Policies and Procedures8, Section VII, Security, states:\n\n          \xe2\x80\x9cThe FEC shall provide security protection for all records that contain personal information\n          maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and confidentiality of the records.\n          The FEC\xe2\x80\x99s security protections for systems that store personal information shall include\n          appropriate administrative, technical and physical safeguards such as:\n\n          1.   Physical security of both hard copy and electronic data;\n          2.   Personnel security for employee and contractor access to data;\n          3.   Network security for data in transit; and\n          4.   Secure and timely destruction of records.\n\n          The security protection afforded each system shall be commensurate with the risk level and\n          magnitude of harm the FEC and/or the record subject would face in the event of a security\n          breach.\xe2\x80\x9d\n\nConsolidated Appropriations Act, 2005, Section 522 states:\n\n          Section (a)(7): \xe2\x80\x9cEach agency shall have a Chief Privacy Officer to assume primary responsibility\n          for privacy and data protection policy, including ensuring that the Department protects\n          information in an identifiable form and information systems from unauthorized access, use,\n          disclosure, disruption, modification, or destruction.\xe2\x80\x9d\n\n          Section (a)(1): \xe2\x80\x9cEach agency shall have a Chief Privacy Officer to assume primary responsibility\n          for privacy and data protection policy, including assuring that the use of technologies sustain,\n          and do not erode, privacy protections relating to the use, collection, and disclosure of\n          information in an identifiable form.\xe2\x80\x9d\n\nOMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005, pg. 1,\nstates:\n\n          \xe2\x80\x9cAs is required by the Privacy Act, the Federal Information Security Management Act (FISMA),\n          and other laws and policies, each agency must take appropriate steps necessary to protect\n          personal information from unauthorized use, access, disclosure or sharing, and to protect\n          associated information systems from unauthorized access, modification, disruption or\n          destruction. Agencies are required to maintain appropriate documentation regarding their\n          compliance with information privacy laws, regulations, and policies.\xe2\x80\x9d\n\nCommission Document Security Classification and Labeling\n\nAs noted above, the walkthrough showed improvement is needed in classifying and labeling documents\nthat contain sensitive information or PII. The FEC Information Classification Policy 58.1.3 states:\n          \xe2\x80\x9cAn information security model should be developed to assist FEC management with classifying\n          and securing information. This information security model is to be used only as guidance not as\n          a standard.\xe2\x80\x9d\nAlthough the Federal Election Commission Guide to Protecting Sensitive Information describes the two\nclasses of information held by the agency as \xe2\x80\x9cpublic\xe2\x80\x9d and \xe2\x80\x9csensitive\xe2\x80\x9d (a.k.a. confidential), it does not\n\n\n\n8\n    The policy was approved by the Commission on December 4, 2007. The document is not dated.\n                                                     38\n\n\x0cspecify the need to label electronic files so that when the files are printed, the documents indicate whether\nthey are sensitive and need to be stored securely. The guide does state:\n\n               \xe2\x80\x9cInformation identified as sensitive should not be left in areas where unauthorized persons\n               may have an opportunity to view it. This includes your work area. A screen filter may be an\n               option to consider. Sensitive documents that are to be disseminated via internal mail shall be\n               enclosed in an envelope marked sensitive and/or confidential.\xe2\x80\x9d\n\nThe guide does not require the divisions to use templates that include security classification labels in the\nheader and/or footer of a file so that the classification can be viewed on screen and on each printed page.\nIncluding a requirement to identify sensitive work products and develop standard forms with embedded\nsecurity classifications markings would ensure printed documents are labeled so that the need to\nphysically secure them is evident. As an example of a labeling weakness detected during the walkthrough,\nwe noted a group of eleven (11) FEC forms, some one page and others multiple pages, left unsecured by\nformer contractors. Seven of the forms were labeled \xe2\x80\x9cconfidential\xe2\x80\x9d on the first page. One of the forms\nhad the security classification included on each printed page. Three forms did not include the security\nclassification on the first page, but the \xe2\x80\x9cconfidential\xe2\x80\x9d label was located on at least one page of the\nmultipage documents. It appears the security classification label intended for the first was displaced by\nthe amount of data included on the first page of the form, forcing the security label to print on page two of\nthe document. One form had no security classification label, but should have been labeled.\n\nAs noted above, filing cabinets in common areas of one division were disabled to prevent locking or had\nkeys attached to ensure they could be accessed by all staff. Some of the cabinets had files marked\nsensitive and some had PII, such as copies of personal checks with banking information. A door to a\ncommon file room was unlocked and had a note requesting staff not lock the door. Most filing cabinets in\nthat room were locked, however two were unlocked. The files in the two unlocked cabinets included\nsome documents marked sensitive, and others that were not labeled, but due to the content, should have\nbeen labeled \xe2\x80\x9csensitive.\xe2\x80\x9d\n\nThe FEC does not have detailed procedures for classifying and labeling sensitive information. In\naddition, the divisions may not have adequately communicated secure storage needs, including the need\nto have secure storage accessed by a group of employees, to the FEC Security Officer and Records\nManager. Sensitive documents, including those with PII, could be accessible by FEC staff, contractors,\nor service personnel such as cleaners and facilities maintenance staff that do not have a valid business\nneed to access the records. This increases the risk of data breach and unauthorized disclosure.\n\nRequirement to Review Current Security Designations\n\nPresident Obama issued Executive Order 13556, Controlled Unclassified Information on November 4,\n20109. The executive order recognized the fact that:\n\n           \xe2\x80\x9cAt present, executive departments and agencies (agencies) employ ad hoc, agency-specific\n           policies, procedures, and markings to safeguard and control this information, such as\n           information that involves privacy, security, proprietary business interests, and law enforcement\n           investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and\n           safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and\n           created impediments to authorized information sharing. To address these problems, this order\n           establishes a program for managing this information, hereinafter described as Controlled\n           Unclassified Information, that emphasizes the openness and uniformity of Government-wide\n           practice.\xe2\x80\x9d\n\n9\n    Executive Order 13556 is included as Attachment 4 of this report.\n                                                        39\n\n\x0cAs a result of this executive order, by May 4, 2011, the FEC will be required to:\n\n        (1) \xe2\x80\x9creview all categories, subcategories, and markings used by the agency to designate\n            unclassified information for safeguarding or dissemination controls; and\n\n        (2) submit to the Executive Agent a catalogue of proposed categories and subcategories of CUI,\n            and proposed associated markings for information designated as CUI under section 2(a) of\n            this order. This submission shall provide definitions for each proposed category and\n            subcategory and identify the basis in law, regulation, or Government-wide policy for\n            safeguarding or dissemination controls.\xe2\x80\x9d\n\nThe National Archives and Records Administration (NARA) serves as the Executive Agent to implement\nthis order and oversee agency actions to ensure compliance with this order. By implementing Executive\nOrder 13556, the FEC will assess current categories, subcategories, and markings used by the agency to\ndesignate security classifications. Based on the assessment, the agency will then have the opportunity to\npropose standards and definitions for security categories and markings to NARA. Once the assessment\nprocess has been completed and approved by NARA, the FEC can implement procedures to ensure the\nstandards are applied and enforced throughout the Commission.\n\nContractor Records\n\nThe FEC\xe2\x80\x99s Procurement Procedures \xe2\x80\x93 020 Contracting Officer Technical Representative (COTR)\nProgram, states:\n\n        \xe2\x80\x9cIf contractor employees (or their subcontractors) will have access to FEC property (real,\n        physical, or electronic), you must ensure that they follow the provisions of the contract and\n        comply with the guidelines established by the FEC, including but not limited to, guidelines\n        related to information about individuals and commercial information owned by other third\n        parties, including personally identifiable information, protected by the Privacy Act and other\n        federal laws for the protection of government property;\xe2\x80\xa6\xe2\x80\x9d\n\nStandard language in FEC contracts includes the following:\n\n        \xe2\x80\x9cNON-DISCLOSURE OF CONFIDENTIAL DATA STATEMENT: As Required in writing by\n        either the Statement of Work, Contracting Officer or COTR - - Within ten business days of receipt\n        of notice of award, the contractor shall provide a signed copy of the FEC Non-Disclosure\n        Agreement (See Attachment 6) for all personnel involved in the engagement. Approved\n        replacement personnel shall provide a completed agreement when assigned to this contract. No\n        access will be given until the Non-Disclosure Agreements are provided to the Contracting Officer\n        with a copy to the COTR.\xe2\x80\x9d\n\nAs part of the FEC\xe2\x80\x99s contracting process, contractors are required to sign a non-disclosure agreement\nwhich defines the standards for protecting sensitive information as well as PII during the course of service\ndelivery.\n\n    2. \t\xe2\x80\x9cDisclosure of FEC information. I agree to hold the FEC\xe2\x80\x99s sensitive, protected, and confidential\n         information, including personally identifiable information, in whatever form or format, in strict\n         confidence, and to take all reasonable precautions to protect against unauthorized use or\n         unauthorized disclosure of such information, including but not limited to compliance with the\n         Rules of Behavior and Acceptable Use Standards for Federal Election Commission Information\n         and System Resources.\n\n                                                  40\n\n\x0c       4.\t Duty to report. I agree to report immediately to an appropriate employee of the FEC any\n           unauthorized use, unauthorized disclosure, or other breach of sensitive, protected, and\n           confidential information of which I become aware, or which I suspect has occurred or may\n           occur.\xe2\x80\x9d\n\nThe non-disclosure agreement also defines the return and destruction processes required at the conclusion\nof the contract as follows:\n\n       5.\t \xe2\x80\x9cReturn of FEC material and information. At the conclusion of my work under this contract, I\n           will return to the FEC (or destroy, upon written approval of the Contracting Officer) all FEC\n           material, including copies, and all records containing FEC material and information.\n\n       6.\t Destruction of Personally Identifiable Information (PII). Prior to final payment on the contract, I\n           will verify with the COTR and/or contracting officer that I have destroyed any and all FEC PII\n           that has come into my custody while working for or at the FEC. The destruction method must be\n           consistent with FEC IT Security Policies.\xe2\x80\x9d\n\nIn providing services to the Commission, contractors are given access to FEC systems and records that\nare sensitive or confidential. The results of the walkthrough showed that at least three contractors failed\nto comply with the policy and did not:\n\n       \xe2\x80\xa2\t take reasonable care to protect \xe2\x80\x9cFEC\xe2\x80\x99s sensitive, protected, and confidential information, \n\n          including personally identifiable information\xe2\x80\x9d10; \n\n       \xe2\x80\xa2\t include adequate security classifications and labeling on files to indicate the need to store printed\n          documents in a secure location;\n       \xe2\x80\xa2\t return FEC materials and information to the COTRs at conclusion of service delivery; and\n       \xe2\x80\xa2\t remove and destroy excess records not needed for its own official record of service delivery to the\n          Commission.\n\nFor these contracts, the Commission may not have received, and the COTRs may not have requested, a\nfinal certification from the contractor or verified that the certification was accurate prior to approving\nfinal payment. COTRs are not required to perform a walkthrough of the space used by contractors to\nverify that all paper or other documents or records were securely disposed of or filed at the end of the\nassignment. The FEC may not enforce the contract requirement that contractors certify secure disposal,\ndestruction or return of FEC records prior to final payment.\n\nSpecialized Training\n\nIn the PII Assessment Report provided to the FEC on May 20, 2009 by STSI, the contractor\nrecommended as a short term task that the agency \xe2\x80\x9cExpand training of employees and contractors on the\nspecific procedures necessary to safeguard documentation containing PII processed during the course of\ntheir duties.\xe2\x80\x9d The FEC has not yet developed division level or job/role specific privacy training to\naddress the different operating environments throughout the agency. The results of the walkthrough\nindicated more specialized training for some divisions or job specific roles may be required to ensure\nadequate protection of sensitive information and/or PII. Lack of detailed training on business processes\nand forms unique to the various divisions in the agency prevents employees from fully adopting privacy\nand data protection best practices specific to their roles and responsibilities. The FEC has recently\ncompleted a draft evaluation of the recommendations of the STSI PII Assessment Report and has not\n\n\n10\n     Two contractors left their own PII unsecured in a modular workspace.\n                                                        41\n\n\x0cimplemented the recommendation to develop more detailed training specific to divisions or\nroles/responsibilities.\n\nSecuring Mobile Computing Devices and Passwords\n\nThe 2007 Privacy and Data Protection Audit walkthrough results showed that some FEC employees had\nnot adequately secured their laptop computers by removing the SecuriKey device or protected their log-on\nand password. In response to the 2007 audit walkthrough results, the 2008 Mandatory Security\nAwareness Training stressed the need for employees and contractors to comply with Rules Of Behavior\nand Acceptable Use Standards For Federal Election Commission Information systems and Resources,\nspecifically:\n\n   \xe2\x80\xa2\t Section 8.d - \xe2\x80\x9cProtect your password from disclosure. Specifically, do not post your password in\n      your area.\xe2\x80\x9d\n   \xe2\x80\xa2\t Section 18 - \xe2\x80\x9cProtect FEC commuting resources from theft or loss; take particular care to\n      protect any portable devices and media entrusted to you, such as laptops, cell phones, palm-top\n      computers, disks, CDs, and other portable electronic storage media.\xe2\x80\x9d\n\nIn the 2008 and 2009 FEC Privacy 101 Training presented to employees and contractors via PowerPoint,\nthe slide on laptop security stressed that \xe2\x80\x9call FEC laptops must be secured with a security cable\xe2\x80\x9d and\n\xe2\x80\x9cwhen leaving your office, the secure key (SecuriKey) should be removed or your door locked.\xe2\x80\x9d The\nwalkthrough results of this follow-up audit indicate that training alone is not sufficient to ensure\nemployees and contractors comply with FEC privacy and data protection policies, procedures and\nstandards. The annual IT Security and Privacy training may not be practiced by employees and\ncontractors because neither the ISSO nor the Security Officer performs regular walkthroughs to verify\nthat Commission staff complies with privacy and data protection standards.\n\nRecommendations\n\nWe recommend that the FEC:\n\n       7a. \t    ISSO, Physical Security Officer, and/or division management should conduct regular\n                walkthroughs to ensure that agency staff complies with privacy and information security\n                standards;\n\n       7b. \t    Should emphasize document labeling requirements with all staff and standard document\n                templates with labels be created and the use monitored;\n\n        7c. \t   Should develop a plan to implement Executive Order 13556, Controlled Unclassified\n                Information, and comply with future directives issued by NARA;\n\n        7d. \t   Division managers should work with the Physical Security Officer and the Records\n                Officer to assess records management and secure storage needs and address failures to\n                adequately secure sensitive information noted during the walkthrough;\n\n        7e. \t   Contracting Officer and COTRs should enforce the requirement for contractors to certify\n                secure destruction or return of FEC information in both paper and electronic format;\n\n        7f. \t   Should establish policy and procedures requiring COTRs to inspect the physical space\n                occupied by contractors when the contractor departs to ensure paper and electronic\n                records are securely disposed of or filed; and\n\n\n                                                42\n\n\x0c        7g. \t   Should implement the plan to develop and deploy privacy training specific to the\n                individual divisions.\n\nManagement Response to 7a:\n\nManagement concurs: Management will commit to having the ISSO, Physical Security Officer and\nother management officials as appropriate participate in occasional walkthroughs of the building to ensure\nprivacy and information security standards are being met. This commitment is subject to Commission\napproval of this policy.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation. We look forward to reviewing the details\nregarding the timing and scope of the planned walkthroughs in the corrective action plan.\n\nManagement Response to 7b:\n\nManagement does not concur: Management does not believe it is practical to require staff to label\nevery document created by employees. Such a requirement could slow down Commission work\nprocesses. Moreover, we believe that the prescribed privacy benefit of labeling (i.e. that persons will treat\ndocuments marked \xe2\x80\x9cSensitive\xe2\x80\x9d in a different manner than documents that are not marked) is not\nnecessarily realistic.\n\nAuditor Response:\n\nCurrently, the lack of an agency-wide labeling process relies on each employee making a determination of\nhow a particular document or file is to be protected. As a result, the protection of information may or\nmay not be adequate or meet the expectations of FEC leadership. The recommendation would involve\nmanagement establishing standard document templates so that staff would not be required to make these\ndecisions.\n\nManagement Response to 7c:\n\nManagement concurs in part: Management agrees and has developed a plan to implement Executive\nOrder (EO) 13556. However, based on our conversations with National Archives and Records\nAdministration (NARA) officials, we believe the agency\xe2\x80\x99s responsibilities under this EO are different\nfrom what the auditors appear to think they are. We spoke to Carla Riner, Lead for Policy and Strategic\nPlanning for the Controlled Unclassified Information Office of NARA, who was a part of the team that\ndrafted Executive Order 13556. According to Ms. Riner, the purpose of EO 13556 is not to label every\ndocument in the agency, but to ensure that the labels agencies are currently using are legally mandated.\nTo that end, agencies were asked to fill out a matrix by no later than May 4, 2011, including information\nthe agency "would like to be considered controlled" and the law that requires that the information be\nprotected. After agencies submit the matrix information, NARA will issue a series of instructions to\n"phase in" implementation of the government-wide labeling system. To the extent this recommendation\nasks management to comply with the EO and other NARA guidance, management concurs. To the extent\nthis recommendation asks management to implement new procedures to ensure expanded labeling is\napplied and enforced throughout the Commission, management does not concur as that is not a mandate\nrequired by the EO or currently by NARA.\n\n\n\n\n                                                   43\n\n\x0cAuditor Response:\n\nOur recommendation is for management to develop a plan to implement Executive Order 13556, which is\nindependent of the labeling recommendation in 7b. We acknowledge management\xe2\x80\x99s concurrence to\ndevelop a plan to comply with Executive Order 13556 and other NARA guidance and when fully\nimplemented, should satisfy the intent of the audit recommendation.\n\nManagement Response to 7d:\n\nManagement concurs: Management agrees to work with the Physical Security Officer and the Records\nOfficer to address the securing of storage areas and records management. As a part of this process,\nmanagement will look into the locking of suite doors after business hours as a potential security\nsafeguard.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 7e:\n\nManagement concurs: Management concurs with this recommendation and will work with the\nContracting Office to determine the best course of action for enforcing this requirement.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 7f:\n\nManagement concurs: Management concurs with this recommendation and will work with the\nContracting Officer to develop said policies and procedures.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 7g:\n\nManagement concurs: Management concurs with this recommendation and is already in the process of\ndeveloping division-specific training.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\n\n\n\n                                                 44\n\n\x0cFinding 8: Lack of Detailed Procedures and Periodic Review\n\nThe FEC has twenty-eight (28) separate policies governing data security (58.x documents, e.g., Federal\nElection Commission Personnel Security Policy 58-1.1, Federal Election Commission Security Training\nand Awareness Policy 58-1.2). Supporting the data security policies are four (4) procedures, eighteen\n(18) standards, and one (1) guideline. The FEC has two (2) policies governing privacy and data\nprotection supported by one rule of conduct and one plan to reduce the use and retention of personally\nidentifiable information.\n\nDespite the volume of policies, there is a general lack of detailed procedures that describe how the\nrequirements in the security and privacy policies are to be implemented beyond the four existing\nprocedures: Access Control Procedures; OIT Procedures for Disabling User Accounts; Office of\nInformation Technology Incident Response Procedures; and Procedures for Managing Change Requests.\nFor instance, the Federal Election Commission Privacy Protection Policies and Procedures document\ndoes not contain any procedures. Section III, \xe2\x80\x9cConsent.\xe2\x80\x9d states:\n\n       \xe2\x80\x9cUnless authorized by law, or qualifying for an exemption under the Privacy Act, consent should\n       be obtained from an individual before a record pertaining to that individual, contained in a\n       system of records, is:\n\n       Used for a purpose other [missing the word \xe2\x80\x9cthan\xe2\x80\x9d] the purpose for which it was collected; or\n\n       Disclosed to any person or to another agency.\n\n       However, use and disclosure without consent is permitted under certain circumstances as\n       delineated in subsection (b) of the Privacy Act, such as the exception for routine uses published in\n       the System of Records Notice. FEC offices should consult with the FEC Privacy Officer on\n       questions regarding disclosure or alternative uses without consent.\xe2\x80\x9d\n\nThe policy does not contain procedures that clearly describe how the requirements would be\naccomplished. For example, the policy does not answer the following questions:\n\n   \xe2\x80\xa2   Is there a standard form to request and document consent?\n   \xe2\x80\xa2   Is written consent required or is electronic consent acceptable?\n   \xe2\x80\xa2   Who is responsible for obtaining the consent?\n   \xe2\x80\xa2   Are any identity verification procedures required?\n   \xe2\x80\xa2   Where should the consent documents be filed?\n   \xe2\x80\xa2   How long should the consent documents be maintained?\n\nAnother example is the FEC Media Management Security Policy 58.4-2, which states:\n\n       \xe2\x80\x9cIt is FEC policy that:\n\n       Procedures will be defined and implemented to protect computer media such as magnetic tapes,\n       magnetic and optical disks, memory chips, CD ROMs, and other storage devices, throughout\n       their life cycles, taking into consideration applicable property management policies and\n       procedures;\n\n       Procedures will be defined and implemented to prevent access to electronic information and\n       software from computers, disks and other equipment or media when they are disposed of or\n       transferred outside FEC control. These procedures should aim at preventing electronic data that\n\n                                                 45\n\n\x0c        has been deleted or disposed of from being retrieved. Disposal measures should be cost-effective,\n        taking into account information sensitivity; FEC Media Disposal Standards are relevant here.\xe2\x80\x9d\n\nWhile there may be practices in place to address the above requirements, there are no documented\nprocedures.\n\nDefinitions of policies, procedures, guidelines and standards used by the Information Systems Auditing\nand Control Association (ISACA), an independent, nonprofit, global association, that engages in the\ndevelopment, adoption and use of globally accepted, industry-leading knowledge and practices for\ninformation systems are:\n\n        Policies are a document that records a high-level principle or course of action which has been\n        decided upon. A policy\xe2\x80\x99s intended purpose is to influence and guide both present and future\n        decision making to be in line with the philosophy, objectives and strategic plans established by\n        the enterprise\xe2\x80\x99s management teams.\n\n        Standards are a mandatory requirement, code of practice or specification approved by a\n        recognized external standards organization, such as International Standards Organization (ISO).\n\n        Procedures are a detailed description of the steps necessary to perform specific operations in\n        conformance with applicable standards.\n\n        Guidelines are a description of a particular way of accomplishing something that is less\n        prescriptive than a procedure.\n\nBased on the standard definitions and detailed review of FEC documents, additional procedures and\nmodification to existing supporting documents is required.\n\nFurther, the following documents do not have an adoption date or current version date.\n\n    \xe2\x80\xa2\t Federal Election Commission Privacy Protection Policies and Procedures;\n    \xe2\x80\xa2\t Federal Election Commission Guide to Protecting Sensitive Information;\n    \xe2\x80\xa2\t Federal Election Commission Policy and Plan for Responding to Breaches of Personally \n\n       Identifiable Information; \n\n    \xe2\x80\xa2\t Federal Election Commission Privacy Rules of Conduct;\n    \xe2\x80\xa2\t Access Control Procedures; and\n    \xe2\x80\xa2\t the 18 IT Security standards.\n\nThere is no defined periodic review cycle, and updating as necessary, for the documents listed above.\nDating policies and procedures is a common practice. There is not a standard template used for all FEC\npolicy documents that includes dating.\n\nFEC Directive 65, Designation of Chief Privacy Officer and Senior Agency Official for Privacy,\nDecember 4, 2007, references OMB M-05-08 and states the Senior Agency Official is responsible for\n\xe2\x80\x9cReviewing and updating policy procedures.\xe2\x80\x9d\n\nThe International Organization for Standardization and International Electrotechnical Commission\n(ISO/IEC) 27002 , \xe2\x80\x9cInformation technology-Security techniques-Code of practice for information security\nmanagement\xe2\x80\x9d, is a globally accepted information security standard and is considered best practice. This\nstandard states:\n\n\n\n                                                  46\n\n\x0c        \xe2\x80\x9cInformation security is achieved by implementing a suitable set of controls, including policies,\n        processes, procedures, organizational structures and software and hardware functions. These\n        controls need to be established, implemented, monitored, reviewed and improved, where\n        necessary, to ensure that the specific security and business objectives of the organization are met.\n        This should be done in conjunction with other business management processes.\xe2\x80\x9d\n\nThe FEC has not implemented a framework or assigned responsibility to specific staff for designing,\ndocumenting, communicating and training staff on detailed procedures necessary to implement the\nexisting policies. Instead, since the number of the FEC staff is relatively small, there is reliance on quick\nand close communication amongst staff to address any questions regarding policy implementation.\n\nWithout detailed procedures to support the documented policies, FEC staff may not be sure how to\ncomply with the policies, and management may not be able to hold staff accountable for full compliance.\nAs new employees assimilate into their positions at the FEC, they will not know for certain what the\nexpected compliance procedures are. Instead they will have to ask or observe others and may or may not\nlearn the appropriate procedures.\n\nIf privacy policies and supporting documents are not reviewed regularly and updated, they may not\naddress the current legal requirements and risks. Failure to date the agency policies and procedures may\nresult in employees not realizing they are referring to an outdated policy or authoritative document, and\ncan decrease compliance with current requirements. Further, the current condition diminishes the FEC\xe2\x80\x99s\nability to successfully enforce disciplinary action if an employee unknowingly relies on an outdated\npolicy or procedure.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        8a. \t   Should develop, implement and communicate detailed procedures to all employees for\n                each security and privacy related policies. This may need to occur at the division or\n                department level with the Privacy Team serving as subject matter experts. Detailed\n                procedures will also be helpful for agency staff tasked with monitoring, enforcing and\n                reporting on compliance with the requirements in the associated policies.\n\n        8b.\t    Should directly link detailed procedures to the source policies and house them in a\n                central, easily accessible location, such as the FEC Intranet.\n\n        8c. \t   Should follow a standard template for all policies and supporting documents that includes\n                an adoption and last revision date.\n\n        8d.\t    Should review on a regular basis all of the privacy and data security policies, procedures,\n                standards and guidelines on a defined timeframe (e.g., annually), and they should be\n                dated, and updated as necessary and include a point of contact if employees have\n                questions.\n\nManagement\'s General Response to Finding 8:\n\nPrior to responding to specific recommendations, we had a few comments regarding some of the findings\nin this section of the report. First, we note that IT security policies are reviewed on an annual basis, thus\nit is not true that \xe2\x80\x9c[t]here is no defined periodic review cycle, and updating as necessary,\xe2\x80\x9d for those\npolicies. Second, we do not agree that the failure to place dates on policies would diminish the agency\xe2\x80\x99s\nability to \xe2\x80\x9csuccessfully enforce\xe2\x80\x9d those policies if the employee has been provided with the new policy and\n\n                                                   47\n\n\x0cstill relies on an outdated policy. Employees are held accountable to agency policies unless it is clear that\nthe policies have been revised or overturned.\n\nAuditor Response:\n\nWe acknowledge that IT security policies are reviewed on an annual basis. However, there are other\ndocuments that are important to the privacy and information protection program that do not appear to\nhave a defined review cycle. Our recommendation was intended to address the review cycle for the\nfollowing documents:\n\n    \xe2\x80\xa2\t Federal Election Commission Privacy Protection Policies and Procedures;\n    \xe2\x80\xa2\t Federal Election Commission Guide to Protecting Sensitive Information;\n    \xe2\x80\xa2\t Federal Election Commission Policy and Plan for Responding to Breaches of Personally \n\n       Identifiable Information; \n\n    \xe2\x80\xa2\t Federal Election Commission Privacy Rules of Conduct;\n    \xe2\x80\xa2\t Access Control Procedures; and\n    \xe2\x80\xa2\t the 18 IT Security standards.\n\nManagement Response to 8a:\n\nManagement concurs in part: Management does not concur with this finding in that we do not believe\noverarching agency-wide procedures should be detailed to the level specified by the auditors.\nNevertheless, we do agree that detailed procedures may be necessary at the division or departmental level.\nThe Privacy Team will encourage and work with FEC division heads in their development of office-\nspecific procedures when necessary.\n\nAuditor Response:\n\nAlthough FEC management does not concur with the finding, management has agreed to improve\nprocedures at the division level. We look forward to reviewing the details of the plan to coordinate with\nFEC division heads in the corrective action plan.\n\nManagement Response to 8b:\n\nManagement concurs: At present, the agency\xe2\x80\x99s IT security policies are housed on the FEC-Wide\nnetwork drive in the IT policies and standards folders. However, we agree that both privacy and IT\nsecurity procedures should be housed in a centralized and easily accessible location, and that the FEC\nIntranet (\xe2\x80\x9cFECNet\xe2\x80\x9d) would be an invaluable communication tool for that purpose. The Privacy Team has\nalready commenced this process by working with OCIO to develop a Privacy FECNet page.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 8c:\n\nManagement concurs in part: Management concurs with the finding that privacy policies should\ncontain an adoption and last revision date, and will revise its policies to ensure such designations are\nincluded. We will continue to evaluate whether confidential or sensitivity designations are appropriate\nfor the privacy policies and procedures. We do not agree that a standardized template for privacy policies\nis always appropriate.\n                                                   48\n\n\x0cAuditor Response:\n\nA standardized template provides consistent presentation of policy content and can make it easier for a\nreader to quickly find the information of most interest. However, the substance of the policy is ultimately\nmore important than the format. The agency\xe2\x80\x99s planned action is responsive to the audit issue identified\nand when fully implemented, should satisfy the intent of the audit recommendation.\n\nManagement Response to 8d:\n\nManagement concurs in part: Management agrees that privacy and data security policies, procedures,\nstandards and guidelines should be reviewed periodically to determine if updates are necessary.\nHowever, because most of these policies serve as overarching umbrella privacy policies for agency-wide\nuse, it is unlikely that frequent revisions are necessary. We therefore agree to institute a biennial review\nof the privacy policies. We note that IT security policies are currently reviewed on an annual basis. We\nconcur with the auditors\xe2\x80\x99 finding that policies, procedures, standards and guidelines should contain\neffective dates and revision dates as necessary, and should include a point of contact if they do not\nalready (we note that many of the policies already list the Privacy Officers or the Information Systems\nSecurity Officer as key points of contact).\n\nAuditor Response:\n\nWe recognize management\xe2\x80\x99s efforts to concur with our recommendation. However, we would still\nencourage that they increase the frequency of this review to annually because of the ever changing nature\nof privacy risks.\n\nFinding 9: Logging\n\nOMB M-06-16, Protection of Sensitive Agency Information, issued June 23, 2006 states:\n\n        \xe2\x80\x9cIn an effort to properly safeguard our information assets while using information technology, it\n        is essential for all departments and agencies to know their baseline of activities. The National\n        Institute of Standards and Technology (NIST) provided a checklist for protection of remote\n        information. (See attachment) The intent of implementing the checklist is to compensate for the\n        lack of physical security controls when information is removed from, or accessed from outside the\n        agency location. In addition to using the NIST checklist, I am recommending all departments and\n        agencies take the following actions:\n\n        1.\t Encrypt all data on mobile computers/devices which carry agency data unless the data is\n            determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she\n            may designate in writing;\n\n        2.\t Allow remote access only with two-factor authentication where one of the factors is provided\n            by a device separate from the computer gaining access;\n\n        3.\t Use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user re-\n            authentication after 30 minutes inactivity; and\n\n        4.\t Log all computer-readable data extracts from databases holding sensitive information and\n            verify each extract including sensitive data has been erased within 90 days or its use is still\n            required.\xe2\x80\x9d\n\n\n                                                   49\n\n\x0cThe agency agreed to implement the first three of the four recommendations. In an August 23, 2006\nmemo to the Commission from the CIO and ISSO, in response to M-06-16, the logging recommendation\nwas not implemented given the opinion \xe2\x80\x9cthat the cumulative effects of encrypting the entire hard local\ndrive, requiring a 30 minute time out for inactivity and employing a two-factor authentication scheme\nreduces the Commission\xe2\x80\x99s risk exposure to an acceptable level.\xe2\x80\x9d\n\nEncrypting the entire local hard drive, requiring a 30 minute time out for inactivity and employing a two-\nfactor authentication scheme is not a substitute for logging access to and extracts from systems containing\nsensitive data.\n\nLogging of FEC systems activity is currently only performed at the network access level and does not\ninclude specific systems (databases) containing PII. Therefore, the details of file access are nonexistent\nand the following details are not recorded or monitored: 1) identity of individual/divisions accessing\nspecific files; 2) the date/time and actions that were taken on individual files, such as created, copied,\nupdated, or deleted.\n\nFEC\xe2\x80\x99s Auditing and Monitoring Policy, 58-3.3, also states:\n\n        1.      \xe2\x80\x9cPURPOSE\n\n        This policy is designed to:\n\n        a.     Satisfy the purposes and policy goals of the Federal Election Commission (FEC)\n        Information System Security Program Policy, Policy Number 58A.\n\n        b.        Establish control over the process of monitoring and logging system and user activities.\n        This policy is designed to address the requirement to monitor systems to detect potential threats\n        to electronic information, and record selected system activities that will be stored with integrity,\n        and reviewed by management on a regular basis to detect problems. The policy is enabled by\n        facilities and procedures for the monitoring, logging and reviewing system and user actions and\n        high-risk transactions, detecting unauthorized activities are, and for enabling systems\xe2\x80\x99 and\n        business processes\xe2\x80\x99 integrity to be quickly restored following a security incident. This policy\n        takes into consideration:\n\n                    I.\t   Authorization;\n                   II.    High-risk transactions;\n                  III.    Data integrity;\n                  IV.     Risk assessments; and\n                   V.     Security incidents.\n\n    It is FEC policy that:\n\n        \xe2\x80\xa2\t FEC information systems have capabilities to automatically monitor, log and review of\n           selected user and system actions, events and transactions. Automated monitoring and audit\n           logging facilities must record, at minimum, actions, events and high-risk transactions\n           articulated in FEC Audit Event Standards;\n\n        \xe2\x80\xa2\t Selected system and user actions, events and high-risk transactions to be automatically\n           monitored and/or logged are identified and documented for each FEC computing resource.\n           This list of auditable events is based upon the past experience of error misuse, criticality and\n           interconnectivity of the system processes, events and information;\n\n\n                                                    50\n\n\x0c        \xe2\x80\xa2\t Periodic reviews are conducted to ensure monitoring results and audit logs are valid;\n\n        \xe2\x80\xa2\t Audit logs are retained so as to preserve their value as legal evidence, and to help identify,\n           prosecute, resolve and/or mitigate security incidents. A framework of controls exists to\n           control physical and logical access to FEC logging facilities and storage media in a way that\n           protects them from unauthorized access, use or modification;\n\n        \xe2\x80\xa2\t Audit logs\xe2\x80\x99 retention period is based upon FEC operational requirements, applicable federal\n           guidance, laws and/or regulations;\n\n        \xe2\x80\xa2\t All FEC information systems that have the capability to operate a real-time clock will have\n           the clock set to an agreed upon standard (e.g. Universal Coordinated time or local standard\n           time) so that audit logs are both accurate and comparable. Procedures should be developed\n           to check for and correct significant variations from this standard.\xe2\x80\x9d\n\nThe FEC has not implemented detailed system logs due to concerns about system storage resources and\nassociated costs required to maintain and review such logs.\n\nThe lack of detailed system logs will result in a compromised ability to perform forensics should there be\na data breach. Our discussion with the FEC Information Systems Security Officer (ISSO) indicated that\nthere were no known system security or data breaches in 2010; however, without a logging and\nmonitoring system in place, it is not possible to know if there were any attempted or successful system\nintrusions.\n\nRecommendation\n\nWe recommend that the FEC:\n\n        9. \t    Implement logging for all computer-readable data extracts from databases holding\n                personally identifiable information (PII).\n\nFurther Information on System Logging\n\nSystem logging is built into numerous applications. The feature can be enabled on a trial basis for some\nsystems containing PII to establish a baseline for electronic storage needs and evaluate actual\nperformance issues. The results will provide quantitative data upon which the Commission can make\ninformed decisions about logging for all systems that contain PII. Depending on the results and\nindividual division needs, logs can be rotated on a predetermined basis.\n\nThe Solutions Technology Systems, Inc. report issued in May 2009 contained a comprehensive inventory\nof applications that contain PII. The report also identified the divisions that process PII and the FEC\nISSO can choose a relatively small division to pilot this project.\n\nManagement Response:\n\nManagement does not concur: Management continues to believe that the encryption, 30-minute time\nout, and two-factor authentication controls currently in place for FEC mobile devices and computers are\nsufficient to prevent and/or significantly reduce the agency\xe2\x80\x99s risk exposure. As noted by the auditors, the\nagency currently monitors and logs access to the agency\xe2\x80\x99s network. We manage access to sensitive\ninformation by properly managing access control, i.e. we only provide access to sensitive information to\nthose individuals who need access in order to complete their authorized duties. Therefore additional\n\n\n                                                  51\n\n\x0clogging of persons already authorized to access, copy, delete, and/or move PII would not be cost\neffective.\n\nAuditor Response:\n\nWe acknowledge that the controls management describes are appropriate. However, without logging,\nthere is no record of system user activity and the nature of system activity which is essential for a forensic\nreview in the event of a system intrusion or unauthorized activity. Effective logging not only captures the\nactivity of employees but also the activity of unauthorized individuals or entities if they penetrate the\nFEC\xe2\x80\x99s network.\n\nFinding 10: Protections for Remote Access to PII\n\nThe FEC Policy 58-4.5, Virtual Private Network (VPN), does not specifically require that employees must\nsave work related data to FEC network drives instead of the local hard drive. FEC Directive 58\nElectronic Records, Software and Computer Usage states:\n\n        \xe2\x80\x9cAs the principal component of FEC System Security Program, end users take on the burden of\n        protecting the confidentiality, integrity and availability of information when you bypass FEC\n        security guidelines by saving your work to media other than the FEC network. As in the case of\n        paper records, each individual user is also responsible for the erasure and/or destruction of any\n        sensitive information the user chooses to store outside of the FEC network.\xe2\x80\x9d\n\nAs written, the policy is clear but is not adequate in that it provides employees the flexibility to save work\nlocally as needed with the \xe2\x80\x9cburden of protecting the information.\xe2\x80\x9d The policy does not limit the practice\nto specific working arrangements or emergency situations, such as remote audits or inability to access the\nFEC networks.\n\nThis is a prior audit finding that management disagreed with, and instead chose to rely on email\nreminders.\n\nUsers may save their work to local hard drives thus placing the information at greater risk of being\naccessible by an unauthorized individual. Also, the practice of saving information locally does not enable\nautomatic back-up and recovery of information if a computer is lost, stolen or impaired. Failure to\nexplicitly state the requirement to save all data to FEC networks in a policy compromises the agency\xe2\x80\x99s\nability to monitor and enforce employee protection of work related data.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        10a. \t   Should change Policy 58-4.5, Virtual Private Network (VPN), and Directive 58,\n                 Electronic Records, Software and Computer Usage, to state that work related data must\n                 be saved to the network and not downloaded and saved on local devices. Exceptions to\n                 the policy should be clearly documented and approved by management, and, where\n                 possible, compensating controls put in place.\n\n        10b.\t    Should further re-enforce the key elements in Policy 58-4.5, Virtual Private Network\n                 (VPN), and other security policies and also design and implement a formal\n                 communications plan to re-enforce key privacy and security principles contained in the\n                 policies and training. This communication plan should include scheduled periodic\n                 reminders to employees and contractors on key principles that can be delivered through\n\n                                                   52\n\n\x0c                such means as emails, log-in banners, newsletter articles, posters or other existing\n                communication vehicles currently used to communicate with employees. The most\n                effective messaging is typically brief and focused on a single topic. For example, an\n                email message such as: REMINDER: Save all your work on the network and do not\n                download to your computer.\n\n        10c.    Modify the Intranet to contain a page with Privacy and data protection policies,\n                procedures and updates. This would ensure that all FEC employees are aware of the\n                policies with regard to PII, and privacy and data protection.\n\nManagement Response to 10a:\n\nManagement concurs in part: While management concurs with this concept in general, we note that\nsome of the factual findings are inaccurate. The audit report assumes that employees are given a choice\nas to whether to save information on the FEC network and that current policies reflect that choice.\nHowever, the most current version of the Virtual Privacy Network (VPN) Policy 58-4.5 (adopted May 19,\n2009 and revised in February 2010) requires that employees \xe2\x80\x9c[s]ave work-related data to the network to\nensure proper backup occurs.\xe2\x80\x9d Thus, our current policies already implement this recommendation.\nNevertheless, we concur with the use of the verb \xe2\x80\x9cmust\xe2\x80\x9d in future revisions to the policy and will make\nthose changes in the Policy and in Directive 58 if necessary. It should further be noted that employees are\ninformed in privacy training that \xe2\x80\x9c[e]mployees and contractors must save work-related data to the FEC\nnetwork.\xe2\x80\x9d We would also agree that the VPN policy should include information regarding requesting\nexceptions to the policy, namely that the policy will: 1) include a statement that exceptions will be made\non a case-by-case basis; 2) name the agency official authorized to grant an exception (e.g., Chief\nInformation Officer); and, if possible, 3) provide examples of the criteria used to grant an exception.\n\nAuditor Response:\n\nThe quote from Policy 58-4.5 is: \xe2\x80\x9cAll VPN users are encouraged to remember that: save work-related\ndata to the network to ensure proper backup occurs.\xe2\x80\x9d Our recommendation is that this wording be\nstronger. The agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully\nimplemented, should satisfy the intent of the audit recommendation. We look forward to reviewing the\nupdated policy.\n\nManagement Response to 10b:\n\nManagement concurs: Management agrees to develop a communication plan that will include methods\nof re-enforcing key privacy and security principles via the use of log-in banners, emails and/or other\nvehicles (e.g., using FECNet as a communicating tool).\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation. We look forward to reviewing the communication\nplan.\n\nManagement Response to 10c:\n\nManagement concurs: Management agrees to develop a Privacy page on FECNet and has already\nbegun this process.\n\n\n\n                                                  53\n\n\x0cAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nFinding 11: Vendor Due Diligence\n\nThe FEC privacy governance framework should be expanded to include not only PII that is collected,\nprocessed, transmitted or stored by the FEC, but also PII that is provided to and/or stored by vendors.\nCurrently, there is no comprehensive list of all vendors that handle FEC PII and there is no formal process\nin place to understand, document, and assess the controls in place at vendors, prior to, or after, providing\naccess to FEC PII. Instead, the agency primarily relies on protective language in the contractual\nagreements with these vendors. While including confidentiality and non-disclosure language in contracts\nwith vendors helps to protect the FEC\xe2\x80\x99s interests, it does not address or provide reasonable assurance that\nthe vendor can adequately protect FEC PII.\n\nThe FEC plans to conduct a review of a random sample of agency contracts every two years, as required\nby Circular A-130 (1) section (m):\n\n        \xe2\x80\x9cReview every two years a random sample of agency contracts that provide for the maintenance\n        of a system of records on behalf of the agency to accomplish an agency function, in order to\n        ensure that the wording of each contract makes the provisions of the Act binding on the\n        contractor and his or her employees. (See 5 U.S.C. 552a(m)(1))\xe2\x80\x9d\n\nAs part of this review, the terms and conditions relating to privacy and data protection is also performed.\nAs planned, the biennial review is performed based on a random sample and is not focused on the\ncontracts of vendors who have access to FEC PII. Further, the biennial contract review conducted to\nsatisfy the requirements of OMB Circular A-130 has not been completed on time due to resource\nconstraints in the Office of General Counsel (OGC). The last biennial review of a sample of contracts\nwas completed October 7, 2008.\n\nThe purpose of the FEC Third Party Services Policy, 58-1.5. is to:\n\n    a.\t \xe2\x80\x9cSatisfy the purposes and policy goals of the Federal Election Commission (FEC) Information\n        System Security Program Policy, Policy Number 58A;\n\n    b.\t Establish control over the process of managing to risks associated with use of third parties by the\n        FEC. This policy addresses the requirement to prevent non-FEC users who have been authorized\n        access to FEC electronic information and computing assets from compromising the FEC systems\n        security environment. This policy is enabled by control measures to review and monitor existing\n        contracts and procedures for their effectiveness and compliance with FEC policy, and takes into\n        consideration:\n\n                i. Third-party service agreements;\n                ii. Non-disclosure agreements;\n                iii. Legal and regulatory requirements; and\n                iv. Service delivery monitoring.\xe2\x80\x9d\n\nThe FEC Privacy Protection Policies and Procedures states:\n\n        \xe2\x80\x9cCo-Chief Privacy Officers/Co-Senior Agency Officials for Privacy are responsible for: ensuring\n        compliance with applicable privacy and data protection laws, regulation and policies.\xe2\x80\x9d\n\n                                                  54\n\n\x0cA formal risk assessment process inclusive of assessing the risks around FEC PII that has been entrusted\nto vendors has not been adopted. Resource constraints limit the ability to complete vendor reviews\nconsistently and in a timely manner.\n\nThe absence of a comprehensive list of all vendors that handle FEC PII results in the inability to fully\nassess the privacy related risks these vendors pose to the agency. It may also result in the biennial\ncontract review process being based on a sample of contracts that is selected from an incomplete\npopulation of all vendors that handle FEC PII and could result in a false conclusion from the review.\n\nFailure to review the security and privacy controls at vendors prior to sharing FEC PII places the agency\nat risk for litigation if the information is lost or compromised. If a breach of FEC data held by its vendors\noccurred, it could result in:\n\n    \xe2\x80\xa2   damage to the individuals whose personal information was disclosed;\n    \xe2\x80\xa2   adverse media coverage and embarrassment for the FEC and potential Congressional inquiry;\n    \xe2\x80\xa2   financial consequences to address an unauthorized disclosure of information; and\n    \xe2\x80\xa2   potential litigation.\n\nRecommendations\n\nWe recommend that the FEC:\n\n        11a. \t   Should develop and maintain a comprehensive list of all vendors that handle PII.\n\n        Further Information\n\n                 This information could be gathered from each of the Contracting Officer\xe2\x80\x99s Technical\n                 Representative (COTRs) and the STSI inventory results, after review and update, to get\n                 an initial comprehensive list. A form that could be used by COTRs for all new contracts\n                 should be developed and implemented to document if the vendor will have access to FEC\n                 PII, with a copy of the form provided to the co-Chief Privacy Officers before the contract\n                 is signed, so that a risk assessment of the vendor could be performed.\n\n        11b. \t   Should develop a policy and supporting procedures to assess and approve vendors with\n                 access to FEC PII to reasonably ensure that the vendor has adequate controls in place to\n                 protect the information before any PII is provided to the vendor.\n\n        Further Information\n\n                 The policy should include a risk rating system whereby service providers are ranked (e.g.,\n                 high, medium, low) based on the nature and volume of FEC PII that they will be provided\n                 access. The higher the risk rating, the more comprehensive the level of review that\n                 should be exercised by the FEC. Approaches to gather information from the vendors and\n                 perform a review of the information security and privacy controls can range from the\n                 vendor completing a security and privacy questionnaire, an on-site review of the vendor\xe2\x80\x99s\n                 controls by FEC staff or contractors, or relying on a review of the vendor\xe2\x80\x99s controls as\n                 performed by a third party (e.g., SAS 70 report). Any reliance on SAS 70 reports\n                 provided by the vendor should include a step to ensure that the scope of that work was\n                 inclusive and sufficient to cover the systems and processes used to collect, process,\n                 transmit or store FEC PII. The \xe2\x80\x9cuser control considerations\xe2\x80\x9d section of any SAS 70\n\n\n                                                   55\n\n\x0c                report should also be reviewed by the FEC to ensure that the agency has these controls in\n                place as they are specifically excluded from the vendor\xe2\x80\x99s responsibility in the report.\n\n        11c.    Should formally document the process used to review the FEC\xe2\x80\x99s vendors and the results\n                should be retained to evidence the review procedures performed. In addition, there\n                should be documented management approval from the department head that is the source\n                of the information to be shared with the vendor and either of the co-Chief Privacy\n                Officers before the vendor is provided access to FEC PII. There may be more than one\n                department head that should review and approve a specific vendor if the PII affected\n                pertains to more than one department.\n\nManagement Response to 11a:\n\nManagement concurs: Management agrees it will work with the Contracting Officer to develop a\nprocess to maintain a comprehensive list of PII vendors. However, we note that OMB Circular A-130\nonly requires that a random sample of \xe2\x80\x9cSection (m)\xe2\x80\x9d contracts be reviewed, and that having a\ncomprehensive list will not necessarily \xe2\x80\x9cresult in a false conclusion from the review.\xe2\x80\x9d\n\nAuditor Response:\n\nWhile only a sample of contracts needs to be reviewed, selection of the sample should be from a complete\nand accurate list. The agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully\nimplemented, should satisfy the intent of the audit recommendation.\n\nManagement Response to 11b:\n\nManagement concurs in part: We agree that policies and procedures to assess and approve vendor\ncontrols for FEC PII are important, and have already done so by incorporating privacy policies for\nvendors in the FEC Privacy Protection and Policies and Procedures, FEC Third Party Services Policy 58-\n1.5, Privacy Rules of Conduct, and the Nondisclosure Agreement for Contractors. We will work with the\nagency\xe2\x80\x99s Contracting Officer and Chief Financial Officer to develop policies and supporting procedures\nthat will require prospective contractors to provide sufficient evidence of internal controls that will\nsafeguard the agency\xe2\x80\x99s sensitive information or PII that the contractor has access to. We do not agree that\na risk rating system is necessary, and thus decline to implement this part of the recommendation at this\ntime, but will strongly consider it.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to most of the audit issue identified and when fully\nimplemented, should satisfy the basic intent of the audit recommendation. We look forward to reviewing\nthe details regarding consideration of a risk rating as part of the vendor review process in the corrective\naction plan.\n\nManagement Response to 11c:\n\nManagement concurs in part: We agree that the process for reviewing the FEC\xe2\x80\x99s vendors for privacy\ncontrols should be developed and documented, and will work with the agency\xe2\x80\x99s Contracting Officer to\naccomplish this purpose. Moreover, we agree that there should be some sort of approval before a vendor\nis provided access to FEC PII; however, we do not believe the division head may be the appropriate\nperson. Instead, we believe that approval by a CPO or their designee would be sufficient. We will\nconsider various options for ensuring that an approval process is implemented, including but not limited\n\n\n                                                  56\n\n\x0cto revising the Nondisclosure Agreement for Contractors to contain an approval statement and a signature\nblock for the approving official.\n\nAuditor Response:\n\nWe recognize management\xe2\x80\x99s efforts to concur with our recommendation. However, we still believe\ndivision head involvement in the vendor approval process is appropriate because they have primary\nfiduciary responsibility for the information in their respective division. We look forward to reviewing the\ndetails of the planned actions in the corrective action plan.\n\nFinding 12: System of Records Notice (SORN) Updates\n\nControls are not adequate to ensure the FEC Systems of Records (SOR) is updated and published in\naccordance with the Privacy Act of 1974 and OMB Circular A-130. Since the prior audit report was\nreleased on December 7, 2007, the FEC has taken the following steps toward governance and to ensure\ncompliance with OMB Circular A-130, appendix I, and the Privacy Act:\n     \xe2\x80\xa2\t the FEC published an updated System of Record Notice (SORN) in the Federal Register on\n        January 2, 2008;\n     \xe2\x80\xa2\t Office of General Counsel (OGC) developed SORNs Review Guidelines February 4, 2009 that\n        detailed the review period between January and June 2009;\n     \xe2\x80\xa2\t the Privacy Team provided training to FEC managers on the Privacy Act System of Records\n        Notice Review on March 26, 2009;\n     \xe2\x80\xa2\t the Privacy Team required system managers, using the training provided, to review existing\n        SORs with the goal to amend or revise them for new systems or changes to existing systems, as\n        well as deleting obsolete systems. The deadline established for review, updates and reporting\n        from systems managers was April 20, 2009; and\n     \xe2\x80\xa2\t the FEC contracted with Solution Technology Systems, Inc. (STSI) to conduct a comprehensive\n        analysis and inventory of PII documents and how they are used throughout the Commission. The\n        inventory and a report of recommendations were provided by the contractor on May 20, 2009.\nSTSI also provided a Procedures for Conducting the Circular A-130 Systems of Records Notices Review\ngeneral guidance document for conducting the agency\xe2\x80\x99s biennial SORNs review. The document provides\nan eight step sequential process for conducting the biennial review but does not include a timetable for\nperforming the review or monitoring and reporting whether the review was completed timely. During the\n2009 SORN review, and consistent with prior biennial review efforts, the agency reviewed its existing\nSORs, received feedback from system managers11, analyzed the information received, and prepared a\nreport on revisions necessary to the published SORN. The agency, however, failed to publish an updated\nSORN. Although the training for system managers and requests to provide feedback on the need to revise\nand publish new SOR was completed in March and April 2009, the Privacy Act System of Records Notice\nRecommendations memorandum was issued by Privacy Team members on August 31, 2010, well after\nthe planned review period of January to June 2009, and eight months after the January 2010 biennial\nupdate deadline had passed.\n\nThe Privacy Act System of Records Notice Recommendations identified several systems requiring new\nSORNs: Skillport training database; FEC Systems Access (FSA) database; FORCES Commenter\nSystems; and Grievance and Arbitration Files. It also identified major and minor revisions required to\nexisting SORs: HSPD-12; Payroll (to reflect WebTA); Garnishments, Grievance and Arbitration files;\n\n11\n  The FEC OIG provided updates to SOR 12, Inspector General Investigative Files, to the Privacy Team on April 2,\n2009.\n                                                    57\n\n\x0cand OIG Investigation files. Skillport has been in use by the FEC since November 2006 and WebTA time\nand attendance system was implemented in November 2008. The FSA system was implemented in\nDecember, 2009. Due to the delay in documenting and publishing the SORNs, the FEC is not compliant\nwith OMB A-130, and its own SORN Review Guidelines, which states:\n\n         \xe2\x80\x9cOur last SORNs were published in January 2008 \xe2\x80\x93 any \xe2\x80\x9cmajor alterations\xe2\x80\x9d to the SORNs must\n         be reported to Congress and OMB within 40 days after the operation of the new SOR12. Minor\n         changes to a SOR (e.g., system manager name changes) can be grouped into one annual\n         comprehensive publication on the Federal Register without any report to Congress or OMB. Cir.\n         A-130(3)(a)(8) .\xe2\x80\x9d\n\nThe process to ensure that the FEC\xe2\x80\x99s SOR is updated and published in accordance with the Privacy Act of\n1974 and the OMB Circular A-130, Appendix I, is not fully documented or performed to ensure\ncompliance with the Privacy Act and OMB standards.\n\nThe Federal Election Commission Privacy Protection Policies and Procedures states:\n\n         \xe2\x80\x9cFEC Privacy Officer is responsible for: reviewing (every two years) the FEC System of Records\n         Notices for accuracy and ensuring amended notices are published in the Federal Register. The\n         general public shall be notified of the FEC\'s systems of records through notice in the Federal\n         Register, in compliance with the Privacy Act. The notice shall include, among other things, the\n         name and location of the system, the purpose of the system, the categories of records maintained\n         in the system and the routine uses of the records. If a routine use needs to be changed or added,\n         modifications will be published in the Federal Register 30 days prior to those changes going into\n         effect, and will allow for interested persons to submit comments.\xe2\x80\x9d\n\nConsolidated Appropriations Act of 2005, Section 522 (a) (3) states:\n\n         \xe2\x80\x9cEach agency shall have a Chief Privacy Officer (CPO) to assume primary responsibility for\n         privacy and data protection policy, including assuring that personal information contained in\n         Privacy Act systems of records is handled in full compliance with fair information practices as\n         defined in the Privacy Act of 1974.\xe2\x80\x9d\n\nOMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records about\nIndividuals, states:\n\n         Section 5 Publication Requirements: \xe2\x80\x9dThe Privacy Act requires agencies to publish notices or\n         rules in the Federal Register in the following circumstances: when adopting a new or altered\n         system of records, when adopting a routine use, when adopting an exemption for a system of\n         records, or when proposing to carry out a new or altered matching program.\xe2\x80\x9d\n12\n   OMB defines \xe2\x80\x9cmajor alterations\xe2\x80\x9d as: (a) A significant increase in the number, type, or category of individuals\nabout whom records are maintained. For example, a system covering physicians that has been expanded to include\nother types of health care providers, e.g., nurses, technicians, etc., would require a report. Increases attributable to\nnormal growth should not be reported; (b) A change that expands the types or categories of information maintained.\nFor example, a benefit system which originally included only earned income information that has been expanded to\ninclude unearned income information; (c) A change that alters the purpose for which the information is used; (d) A\nchange to equipment configuration (either hardware or software) that creates substantially greater access to the\nrecords in the system of records. For example, locating interactive terminals at regional offices for accessing a\nsystem formerly accessible only at the headquarters would require a report; (e) The addition of an exemption\npursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for a Privacy Act exemption as part of\na report of a new or altered system of records, OMB will also review the rule under applicable regulatory review\nprocedures and agencies need not make a separate submission for that purpose; (f) The addition of a routine use\npursuant to 5 U.S.C. 552a(b)(3). See OMB Cir. A-130, App. I.\n                                                        58\n\n\x0c        Section 5.a (2) (a) System Notice: \xe2\x80\x9cThe system of records notice must appear in the Federal\n        Register before the agency begins to operate the system, e.g., collect and use the information\xe2\x80\x9d.\n\nPrivacy Act of 1974, Section \xc2\xa7 552a (e) (4), states:\n\n        \xe2\x80\x9cPublish in the Federal Register upon establishment or revision a notice of the existence and\n        character of the system of records.\xe2\x80\x9d\n\nDuring discussion with Privacy Team members responsible for performing the biennial review and\npublishing the revised SORN, team members indicated that although required changes to the SORN were\nknown, documenting SORs for new systems and amending existing systems was a large task that would\ntake a great deal of time. Members of the FEC Privacy Team stated resource constraints and other\npriorities as the reason timely SORNs are not published. The Commissioners may not be aware that the\nagency is not compliant with Federal regulations with respect to SORN publication.\n\nFor the period reviewed, the Commission was not in full compliance with the Privacy Act of 1974 and\nOMB Circular A-130, Appendix I. The public was not made aware of all sensitive information being\nretained by the Commission. In addition, the public is not informed of the FEC systems that contain PII\nand given the opportunity to request access and/or changes to their records on a timely basis.\n\nRecommendations\n\nWe recommend the FEC Privacy Officer:\n12a. \t Develop a standardized template to allow system managers to accurately document SORs\n       independently of the Privacy Team.\n12b.\t Enhance existing guidelines and procedures to include timelines and deadlines that promote\n      regular review and timely updates to SORs.\n12c. \t Work with ITD management to incorporate SORs assessment processes into systems under\n       development and IT lifecycle management processes.\n12d.\t Work with the Physical Security Officer, the FEC Records Officer, and FEC management to\n      incorporate SORs assessment processes into electronic and paper records management processes.\n12e. \t Develop and implement policies and procedures that define monitoring and reporting processes to\n       ensure SORs are updated and amendments published in accordance with Federal regulations by:\n        \xe2\x80\xa2\t      providing regular training to FEC managers and SOR system owners/managers;\n        \xe2\x80\xa2\t      establish deadlines, based on the legal requirements of OMB A-130, for documenting the\n                new SORs, revisions to existing SORs, and publish the updated SORN;\n        \xe2\x80\xa2\t      providing legal assessment of potential changes in SORs and quality assuring the SORs\n                produced by system owners/managers;\n        \xe2\x80\xa2\t      including performance standards in employee performance plans that are linked to\n                successful compliance with Federal regulations; and\n        \xe2\x80\xa2\t      requiring regular reporting of compliance with the timelines to the Commission.\n\nManagement Response to 12a:\n\nManagement concurs in part: Management believes that devising a template that can be used to allow\nsystem managers to report systems of records is a good idea, and will strongly consider it. However, we\n                                                   59\n\n\x0cforesee some issues in implementing such a process, namely getting the necessary support for the idea\nfrom managers; providing adequate training to system managers on privacy issues; and establishing\naccountability to ensure that managers complete the template. For that reason, we cannot commit to\nimplementing this recommendation but will strongly consider it.\n\nAuditor Response\n\nAt this time management has not committed to implementing this recommendation; however, we\nlook forward to reviewing the details of management\xe2\x80\x99s planned approach to addressing this\nrecommendation in the corrective action plan.\n\nManagement Response to 12b:\n\nManagement concurs: We agree to update the SORNs Review Guidelines and the Procedures for\nConducting the Circular A-130 System of Records Notices Review to include internal benchmarks and\ngoals for biennial reviews and updates of SORNs and SORs.\n\nAuditor Response\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 12c:\n\nManagement concurs: There are times when a new IT system is developed for a particular purpose\nthat is not already covered by a SORN. For example, a commenter rulemaking system is being developed\nwith the purpose of collecting certain personal information from commenters to Commission proposed\nrulemakings, and the Commission\xe2\x80\x99s storage of that information, and the way that that information is\norganized in the system (i.e. by the commenter\xe2\x80\x99s name), may make it a system of records. Under these\ncircumstances, where a new IT system is being developed that would not be covered by existing SORNs,\nwe agree that a SOR assessment should be done and privacy considerations taken into account.\n\nOn the contrary, where IT systems are developed in such a way that they are not system of records (e.g.,\nthey store PII but are not organized by a personal identifier), or the information that they hold may\nalready be covered by an existing SORN (e.g., a new system for storing FOIA requests), a SOR\nassessment is not necessary.\n\nAuditor Response\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\nManagement Response to 12d:\n\nManagement concurs: We agree to work with the Administrative Services and the Commission\nSecretary\xe2\x80\x99s Office to ensure that SORs are considered during records management and physical security\noperations.\n\nAuditor Response\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\n                                                 60\n\n\x0cManagement Response to 12e:\n\nManagement concurs in part: We agree that regular system manager training should take place and are\nin the process of creating such training. Some system manager training was previously conducted in 2009\nin connection with the SORNs review. The deadlines for SORNs review and publication are already\nprescribed by OMB Circular A-130 and therefore do not need to be established by the agency. However,\nwe will agree to create internal benchmarks or goals to improve our timeliness in this area, consistent with\nthe Circular A-130 deadlines, and subject to staff resources. As evidenced by the August 31, 2010\nSORNs Review Memorandum, we agree to continue providing legal assessments of the potential changes\nin SORs.\n\nWe do not concur with the finding that performance standards will need to be revised to include\ncompliance with SORNs deadlines. As mentioned in response to Finding 1b, the CIO and AGC-GLA are\nexplicitly responsible for privacy duties under Directive 65. They, in turn, hold the other Privacy Team\nmembers accountable for their privacy responsibilities. Privacy duties are already an inherent part of the\nteam members\xe2\x80\x99 performance evaluations.\n\nFinally, Commissioners are annually notified of the agency\xe2\x80\x99s privacy progress in several ways, for\nexample: through submission of the 522 Privacy Act Report to Congress to the Commission; and through\nsubmission of the FISMA/Privacy Management Report to the Commission\xe2\x80\x99s Chair. Moreover, the\nCommissioners at any time may receive progress updates by the Chief Privacy Officers (CPOs).\n\nAuditor\xe2\x80\x99s Response:\n\nWe recognize management\xe2\x80\x99s efforts to concur with our recommendation. However, we still recommend\nthat compliance with SORN deadlines be explicitly added to performance plans as stated in our auditor\nresponse for recommendation 1b.\n\nFinding 13: Training Workstations\n\nWhile completing the required training as part of the contractor on-boarding process on November 2,\n2010, we noted that generic user IDs and passwords were taped to the top of each training station with NT\nlogin and Lotus Notes generic login credentials. We noted that workstations had access to a network\ndrive that contained numerous confidential documents, such as: an employee position classification and\nassessment document; a compilation of informal guidance provided by the Public Financing Audit Advice\nteam in response to diverse legal questions from other Commission Divisions; a large deposition from a\nmatter under review; and other such confidential documents. We also noted during the afterhours\nwalkthroughs that the door to the training room was not locked, thus anyone in the building could have\npotentially accessed the network files.\n\nThe Federal Election Commission Privacy Protection Policies and Procedures states:\n\n        \xe2\x80\x9cSystems managers are responsible for overseeing the implementation of administrative,\n        technical, and physical safeguards for the system(s) they manage in order to prevent\n        unauthorized disclosure of personal information.\n\n        The FEC shall provide security protection for all records that contain personal information\n        maintained in FEC\xe2\x80\x99s systems to ensure the accuracy, integrity and confidentiality of the records.\n        The FEC\xe2\x80\x99s security protections for systems that store personal information shall include\n        appropriate administrative, technical and physical safeguards such as:\n\n\n                                                  61\n\n\x0c        A. Physical security of both hard copy and electronic data;\n        B. Personnel security for employee and contractor access to data;\n        C. Network security for data in transit; and\n        D. Secure and timely destruction of records.\n\n        The security protection afforded each system shall be commensurate with the risk level and\n        magnitude of harm the FEC and/or the record subject would face in the event of a security\n        breach.\xe2\x80\x9d\n\nThe generic user IDs and passwords are posted on the workstations to facilitate employee and contractor\ntraining. The FEC training instructor was not aware that non-training related materials were accessible on\nthe training workstations. Trainees could access FEC confidential information before completing the\nprivacy and data security training. Employees, contractors or other individuals with physical access to the\nbuilding could obtain sensitive information by using the generic user IDs and passwords.\n\nRecommendation\n\nWe recommend that the FEC:\n\n        13.     Restrict the training workstations to only be able to access training materials.\n\nManagement Response:\n\nManagement concurs: The Commission takes serious its responsibility to properly secure sensitive\ninformation and will immediately take action to restrict training workstations and student accounts to only\ntraining materials.\n\nAuditor Response:\n\nThe agency\xe2\x80\x99s planned action is responsive to the audit issue identified and when fully implemented,\nshould satisfy the intent of the audit recommendation.\n\n\n\n\n                                                   62\n\n\x0c                                      ATTACHMENT 1 \n\n                            COVER MEMO TO MANAGEMENT RESPONSES\n\n\n       Cover Memo to Management Responses to the Cherry Bekaert & Holland LLP\n              2010 Follow-up Audit of Privacy and Data Protection Report\n\n\n                                                                  March 16, 2011\n\nMEMORANDUM\n\nTO:     \t       Lynne McFarland\n                Inspector General\n\n                Jonathan Hatfield        \n\n                Deputy Inspector General           \n\n\nFROM:\t          Alec Palmer\n                Acting Staff Director\n                Chief Information Officer\n                Co-Chief Privacy Officer\n\n                Lawrence L. Calvert        \n\n                Associate General Counsel for General Law and Advice\n\n                Co-Chief Privacy Officer       \n\n\nSUBJECT:\t       Management Responses to the 2010 Follow-Up of the 2007 Performance Audit of\n                Privacy and Data Protection Report\n\nWe appreciate the opportunity to respond to the 2010 Follow-Up of the 2007 Performance Audit of\nPrivacy and Data Protection Report, conducted pursuant to section 522 of the Consolidated\nAppropriations Act, 2005. We consider privacy to be a matter of great importance and have undertaken\nsignificant efforts to ensure compliance.\n\nThe FEC has always taken very seriously the need to protect the security and privacy of information in its\npossession. We are constantly aware that we possess sensitive information about individuals\xe2\x80\x99 involvement\nin activities that lie at the heart of the First Amendment. Our statute commands us, for example, not to\nmake public information concerning ongoing enforcement matters, and our record of complying with this\nmandate over the past three decades is excellent.\n\nSince 2007, the agency has gone through great lengths to improve its privacy program. In 2008, the\nagency published its first updated systems of records notice (SORN) in thirteen years, and issued multiple\nprivacy policies and procedures based on the 2007 audit findings. Since 2008, the agency has completed\nseveral OMB Circular A-130 mandated reviews, including: two Section (m) contract reviews, a\ncomprehensive SORNs review, and a privacy training review. Additionally, since 2008, the agency has\nconducted annual privacy and security awareness training for both contractors and employees. In 2010\nthat training was revised to incorporate test questions aimed at ensuring employees understood their\nprivacy duties. The agency is also in the midst of developing office-specific privacy training. In 2009, the\nagency developed a comprehensive inventory of its Personally Identifiable Information (PII), and as a\npart of that project created draft procedures for updating the inventory. In 2010, the agency completed\nPhase 1 of its plan to eliminate unnecessary social security number (SSN) use, and created a report of\nrecommendations for the Chief Privacy Officers to consider. Additionally, the agency has conducted\n\n\n                                                  63\n\n\x0creviews of its SSN use and is in the midst of completing its report on the PII Review findings. Finally,\nthe agency has annually published its Privacy Management Report to OMB and its Privacy Act Report to\nCongress, has updated its website to include Privacy Act complaint and contact information, and is\ndeveloping a privacy intranet page. We believe that these accomplishments show the Commission\xe2\x80\x99s\ncommitment to privacy and our desire to improve our data protection practices.\n\nIt is also because of these accomplishments that we must respectfully disagree with the auditors\xe2\x80\x99\ncharacterizations of management\xe2\x80\x99s response to the 2007 performance audit findings. The 2010 findings\nsummary chart characterizes most of the recommendations as \xe2\x80\x9crepeat finding[s]\xe2\x80\x9d from the 2007\nperformance audit. This characterization is also found in the executive summary, where it states that\n\xe2\x80\x9c[s]ixteen (16) of nineteen (19) previous recommendations are still open\xe2\x80\xa6.\xe2\x80\x9d These are not accurate\ncharacterizations. The majority of the findings from the 2007 report were in fact addressed and closed;\nthe findings in the 2010 report are, as one might expect from a follow-up audit, follow-up findings which\nappear to be aimed at addressing actions that need to be taken to maintain or improve upon the actions\ntaken in response to the 2007 audit. We disagree with the characterization of these findings as "repeat\nfindings" to the extent that label is intended to imply that the 2007 report findings were ignored or never\naddressed. None of the 2007 findings were ignored, and all but the two with which management\ndisagreed at that time were addressed. For example, the 2007 report found that "a comprehensive\ninventory of personally identifiable information has not been documented." As a result of this finding, in\n2009 the agency created a documented comprehensive inventory of its PII. The current audit finds that "a\ncurrent PII inventory is not maintained." While we acknowledge below the need to maintain and expand\non our efforts in this area, we reject any implication that the previous finding was not acted on.\n\nPrivacy and data protection is a work always in progress. We always welcome recommendations for\nimprovement in our program, and indeed we believe that under the standards of this audit for "repeat" or\n"open" findings there will as a result be findings in future audits that always remain "open." We simply\nwish to make it clear that, except for the findings from 2007 on which management disagreed with the\nfindings and recommendations, we acted on all of those findings.\n\nWe also disagree with the characterization in the Executive Summary that the other duties of the co-CPOs\nand the other members of the privacy team leads to the spending of "minimal" time on privacy duties.\nNone of the accomplishments described above could have occurred as the result of a "minimal"\ninvestment of time. We do agree that at any given moment, privacy related functions may have a greater\nor lesser amount of resources devoted to them depending on their priority relative to other demands on the\nagency.\n\nWe recognize that in the Internet age, special attention has to be devoted to specific concerns related to\nthe privacy of information about individuals \xe2\x80\x93 both for the First Amendment-related reasons with which\nthe Commission has always been concerned, and because of the potential for problems such as identity\ntheft. We believe we have accomplished a good deal with our Privacy Program, given its relative youth\nand the budgetary and human resource limitations that we face as a small agency of fewer than 400\nemployees.\n\n\n\n\n                                                  64\n\n\x0c                                                              ATTACHMENT 2\n\n\n\n\n                                                                                         \n\n                                      Status of 2006 and 2007 Privacy Findings and Recommendations\n\n                                                PRIVACY AND DATA PROTECTION FOLLOW-UP AUDIT\n\n\nOIG 2006 Inspection Report on Personally Identifiable Information\nFinding             Recommendation                        Auditor verified Status December                2010 Follow-up Audit Status and Link to Report\n                                                          2007                                            Findings\nConfirm             Perform a risk assessment to          Open\nidentification of   examine the threats and\npersonally          vulnerabilities associated with       Management will perform risk assessments\nidentifiable        remote access to Federal Election     for major applications and the general\ninformation         Commission (Commission)               support system (GSS) in the near future. An\nprotection needs    resources and physical removal of     examination of threats and vulnerabilities      Open (Modified repeat finding)\n                    PII.                                  associated with remote access to FEC            Refer to Finding 5. Current Risk Assessments of Systems\n                                                          resources and physical removal of PII will      Containing PII Are Not Performed on page 26.\n                                                          be included in the GSS risk assessment.\n\n\n                                                          Completed in 2009\n\n                    Implement technical and/or policy     Open\n                    controls to prevent access to the\n                    Commission\'s resources for non-       Management is in the process of\n                    encrypted laptops either locally or   implementing a Cisco Network Access\n                    remotely.                             Control Device that will deny or restrict\n                                                          access to the FEC\xe2\x80\x99s network for devices not\n                                                          in compliance with the FEC\xe2\x80\x99s policies and\n                                                                                                          Open (Repeat finding)\n                                                          minimum settings. This device will not,\n                                                                                                          Refer to Finding 6. Mobile Computing Policy, Device\n                                                          however, be implemented until Calendar\n                                                                                                          Encryption and Controls on page 28.\n                                                          Year 2008.\n\n                                                          The NAC has not been implemented,\n                                                          however we have implemented policies and\n                                                          procedures to prevent access from non-\n                                                          encrypted laptops either locally or remotely.\n\n\n\n\n                                                                           65\n\n\x0cOIG 2006 Inspection Report on Personally Identifiable Information\nFinding                 Recommendation                        Auditor verified Status December                 2010 Follow-up Audit Status and Link to Report\n                                                              2007                                             Findings\nVerify adequacy of      Update the Mobile Computing           Open\norganizational policy   Security Policy to more accurately\n                        reflect which systems will be         Management did not change the Mobile\n                        encrypted and which ones will be      Computing Security Policy to clarify which\n                        password protected in order to        systems will be password protected and\n                        remove any ambiguities in the         which will be encrypted. The policy states\n                        policy. Management should             that \xe2\x80\x9call mobile computing devices including\n                                                                                                               Open (Repeat finding)\n                        incorporate explicit rules for        Blackberries and Palm Pilots must be\n                                                                                                               Refer to Finding 6. Mobile Computing Policy, Device\n                        determining if remote access is       encrypted and/or password protected.\xe2\x80\x9d The\n                                                                                                               Encryption and Controls on page 28.\n                        allowed, user training and            Commission stated that laptops must be\n                        accountability measures in place to   encrypted and password protected while\n                        ensure that remote use of PII does    other devices, such as Blackberries and Palm\n                        not result in bypassing management    Pilots, only need to be password protected.\n                        controls.                             This is still, however, unclear in the policy.\n\n                                                              Laptop and Blackberry data transmissions\n                                                              are encrypted at the server level.\nImplement               Update Commission mobile              Open\nprotections for         computing security policies to\nremote access to        include procedures for                Management did not change the Mobile\npersonally              downloading and remote storage of     Computing Security Policy to include\n                                                                                                               Open (Repeat finding)\nidentifiable            data.                                 procedures for downloading and remote\n                                                                                                               Refer to Finding 10. Protections for Remote Access to\ninformation                                                   storage of data. Users are periodically\n                                                                                                               PII on page 52.\n                                                              reminded to save files to the network\n                                                              through emails and newsletters. The policy\n                                                              has not, however, changed.\n\n\n\n\n                                                                               66\n\n\x0cOIG 2006 Inspection Report on Personally Identifiable Information\nFinding               Recommendation                          Auditor verified Status December                  2010 Follow-up Audit Status and Link to Report\n                                                              2007                                              Findings\n                      Implemented a timeout feature for       Open\n                      laptops/desktops which will\n                      timeout after 30 minutes of             We reviewed the Blackberry server settings\n                      inactivity. [No timeout feature is in   and noted that the timeout is set at 60\n                      place for other peripheral devices.]    minutes instead of 30 minutes. In addition,\n                                                              users have the ability to change the timeout      Closed\n                                                              setting.\n\n                                                              The 30 minute timeout is set at the server\n                                                              level, so even if the user changed it, it would\n                                                              change back.\nAdditional Agency     Log all computer-readable data          Open\nRequirements          extracts, as comprehensive\n                      implementation of encryption on all     Management considers logging all computer         Open (Repeat finding)\n                      portable computers will ensure PII      readable data extracts as neither feasible nor    Refer to Finding 9. Logging on page 49.\n                      is adequately protected                 reasonable and therefore does not intend to\n                                                              complete this recommendation.\n\n\nOIG 07-02 Performance Audit of Privacy and Data Protection\nFinding               Recommendation                          Management Status May 2010                        2010 Follow-up Audit Testing NFR\n1. A Comprehensive    1a. Conduct a comprehensive             Complete April 2009\nInventory of              review to identify and\nPersonally                document all PII collected,                                                           Closed. An inventory of FEC PII was prepared by contractor\nIdentifiable              processed, and stored within                                                          STSI (dated May 2009).\nInformation Has Not       the FEC.\nBeen Documented                                                                                                 Modified repeat finding concept of inventory prepared but\n                                                                                                                not maintained is included Finding 4. A Current PII\n                                                                                                                Inventory is not Maintained on page 22.\n\n\n\n\n                                                                                67\n\n\x0cOIG 07-02 Performance Audit of Privacy and Data Protection\nFinding                Recommendation                        Management Status May 2010                     2010 Follow-up Audit Testing NFR\n                       1b. Develop, document, and            The FEC conducted a PII review in 2009 and\n                           implement procedures for          procedures for periodically updating PII are   Open (Repeat finding)\n                           periodically updating the         in development                                 Refer Finding 4. A Current PII Inventory is not\n                           FEC\xe2\x80\x99s inventory of PII.                                                          Maintained on page 22.\n\n2. Safeguards Over     2a. Develop and implement a           Completed April 2009\nSensitive Personally       comprehensive data\nIdentifiable               management framework to\n                                                                                                            Open (Repeat finding)\nInformation Need           ensure that sensitive PII in\n                                                                                                            Refer to Finding 7. Safeguards Over Sensitive Agency\nImprovement                both hard copy and electronic\n                                                                                                            Information and PII Need Improvement on page 37 and\n                           format is adequately identified\n                                                                                                            Finding 12. System of Records Notice (SORN) Updates on\n                           (including its location within\n                                                                                                            page 57.\n                           the FEC), secured, and\n                           properly disposed of when no\n                           longer needed.\n\n                       2b. Develop a policy and              Completed April 2009\n                           procedures to ensure that the\n                           FEC\xe2\x80\x99s PII maintained or                                                          Open (Repeat finding)\n                           processed by third parties is                                                    Refer to Finding 11. Vendor Due Diligence on page 54.\n                           adequately protected from\n                           unauthorized use or disclosure.\n\n3. Privacy Policies    3. Finalize, approve, and fully       Completed\nand Procedures Have       implement privacy policies,\n                                                                                                            Open (Modified repeat finding)\nNot Been Approved         procedures, and directives in\n                                                                                                            Refer to Finding 8. Lack of Detailed Procedures and\nand Implemented           accordance with Federal laws\n                                                                                                            Periodic Review on page 45.\n                          and regulations.\n\n4. Privacy Roles and   4a. Consider identifying one          Management disagrees with Finding 4 and\nResponsibilities Are       individual (position), such as    does not feel bound to comply with these       Open (Repeat finding)\nNot Adequately             the FEC Staff Director, as        Recommendations. In our response to the        Refer to Finding 1. Privacy Roles and Accountability\nDocumented                 Chief Privacy Officer.            Finding, we agreed that "To the extent this    on page 14.\n                                                             Finding is about the specificity of the\n\n\n\n\n                                                                              68\n\n\x0cOIG 07-02 Performance Audit of Privacy and Data Protection\nFinding               Recommendation                         Management Status May 2010                      2010 Follow-up Audit Testing NFR\n                      4b. Assign privacy roles and           assignment of other responsibilities in the\n                          responsibilities to specific       draft [Privacy] document [or document(s)],\n                          positions. In the event that the   we will, of course, carefully consider the\n                          FEC continues with shared          recommendations."\n                          CPO and SAOP\n                          responsibilities, clearly\n                          delineate roles and\n                                                                                                             Open (Repeat finding)\n                          responsibilities among\n                                                                                                             Refer Finding 1. Privacy Roles and Accountability\n                          individuals sharing these\n                                                                                                             on page 14.\n                          positions.\n\n                      4c. Identify, document, and assign\n                          roles and responsibilities for\n                          monitoring compliance with\n                          Federal and FEC privacy\n                          requirements.\n\n5. Privacy Training   5. We recommend that the Chief         Completed\nHas Not Been             Privacy Officer develop and\nProvided to FEC          implement privacy training for\n                                                                                                             Closed.\nEmployees and            all FEC employees and\n                                                                                                             The concept on training effectiveness is included in the\nContractors              contractors to ensure that\n                                                                                                             Finding 7. Safeguards Over Sensitive Agency Information\n                         personnel understand their\n                                                                                                             and PII Need Improvement on page 37.\n                         privacy roles and\n                         responsibilities.\n\n6. Privacy Impact     6a. Identify and implement a           Management disagrees with Finding 6 and\nAssessments Have          governance framework to            does not feel bound to comply with these\n                                                                                                             Open (Repeat finding)\nNot Been Conducted        ensure that controls within the    Recommendations. In our response to the\n                                                                                                             Refer Finding 2. Privacy Impact Assessments Have\n                          FEC are appropriately              Finding, we agreed to "carefully consider the\n                                                                                                             Not Been Conducted on page 17.\n                          identified, documented, and        recommendation regarding PIAs," and with\n                          implemented.                       regard to the governance framework, stated\n                                                             that "management will need to obtain more\n\n\n\n\n                                                                              69\n\n\x0cOIG 07-02 Performance Audit of Privacy and Data Protection\nFinding                Recommendation                        Management Status May 2010                    2010 Follow-up Audit Testing NFR\n                       6b. Conduct privacy impact            information" and that the recommendation\n                                                                                                           Open (Repeat finding)\n                           assessments in accordance         "will require careful and deliberate\n                                                                                                           Refer Finding 2. Privacy Impact Assessments Have Not Been\n                           with Section 522.                 consideration by the Commission itself and\n                                                                                                           Conducted on page 17.\n                                                             the agency\'s most senior management prior\n                       6c. Comply with OMB                   to any decision to implement the\n                           memorandums or, in the event      recommendation here."\n                           of statutory exemption,\n                           document that sufficient\n                           controls exist to mitigate the\n                                                                                                           Open (Repeat finding)\n                           need to comply. Where\n                                                                                                           Refer Finding 3. Monitoring and Review of Regulatory\n                           compliance is not adopted as\n                                                                                                           Requirements on page 20.\n                           the result of resource\n                           constraints, document the legal\n                           assessment, risk analysis, and\n                           cost-benefit to the FEC.\n\n7. Personnel Have      7.   We recommend that the Chief      Completed July 2008\n                                                                                                           Open (Repeat finding)\nNot Complied with           Information Officer take\n                                                                                                           Refer Finding 7. Safeguards Over Sensitive Agency\nthe FEC Computer            necessary steps to ensure user\n                                                                                                           Information and PII Need Improvement on page 37.\nSecurity Policy             compliance with FEC IT\n                            security policies and\n                                                                                                           Open (New finding)\n                            procedures.\n                                                                                                           Refer Finding 13. Training Workstations on page 61.\n\nAdditional Follow-up Verification Item\nFinding             Recommendation                           Management Status August 2010                 Follow-up Audit Testing NFR\nControls are not            Develop, document, and           In addition to reviewing and publishing the\nadequate to ensure          implement procedures for         SORNs, many of the remaining concerns\n                                                                                                           Open (Repeat finding)\nthe Federal Election        periodically updating the        raised in this finding and the\n                                                                                                           Refer Finding 12. System of Records Notice (SORN) Updates\nCommission\xe2\x80\x99s (FEC)          FEC\xe2\x80\x99s inventory of PII           recommendations have already been\n                                                                                                           on page 57.\nSystem of Records           (recommendation 1b of main       addressed. The FEC has finalized and\n(SOR) is updated            report).                         implemented procedures for periodically\n\n\n\n\n                                                                              70\n\n\x0cOIG 07-02 Performance Audit of Privacy and Data Protection\nFinding               Recommendation                     Management Status May 2010                      2010 Follow-up Audit Testing NFR\nand published in        Finalize, approve, and fully     updating the FEC\'s inventory of personally\naccordance with the     implement privacy policies,      identifiable information (in connection with\nPrivacy Act of 1974     procedures, and directives in    the biennial review of its systems of\nand the Office of       accordance with Federal laws     records), privacy protection policies,\nManagement and          and regulations                  procedures, and directives and has identified\nBudget (OMB)            (recommendation 3 of main        Co-Chief Privacy Officers responsible for       Open (Repeat finding)\nCircular A-130          report).                         monitoring compliance with Federal and          Refer Finding 12. System of Records Notice (SORN) Updates\nAppendix I.             Identify, document, and assign   FEC privacy requirements.                       on page 57.\n                        roles and responsibilities for\n                        monitoring compliance with\n                        Federal and FEC privacy\n                        requirements (recommendation\n                        4c of main report)\n\n\n\n\n                                                                          71\n\n\x0c                                             ATTACHMENT 3\n                                              DEFINITIONS\n\nPersonally Identifiable Information (PII): Any piece of information that can potentially be used to uniquely\nidentify, contact, or locate a single person. Information such as social security numbers and banking information\nare generally considered sensitive.\n\nPrivacy Impact Assessment (PIA): is an analysis of how information is handled: (i) to ensure handling\nconforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and\neffects of collecting, maintaining and disseminating information in identifiable form in an electronic information\nsystem, and (iii) to examine and evaluate protections and alternative processes for handling information to\nmitigate potential privacy risks.\n\nSystem of Records (SOR): A group of any records under the control of any agency from which information is\nretrieved by the name of the individual or by some identifying number, symbol, or other identifying particular\nassigned to the individual.\n\nSystem of Records Notice (SORN): A group of any records under the control of any agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual that is required to be published in the Federal register in accordance with the\n1974 Privacy Act.\n\n\n\n\n                                                  72\n\n\x0c                                                  ATTACHMENT 4\nFederal Register\nVol. 75, No. 216 Tuesday,\n\nNovember 9, 2010\n                            Presidential Documents\n                            Executive Order 13556 of November 4, 2010\nTitle 3\xe2\x80\x94 The\n                            Controlled Unclassified Information\nPresident\n\n                            By the authority vested in me as President by the Constitution and the laws of the United\n                            States of America, it is hereby ordered as follows:\n                            Section 1. Purpose. This order establishes an open and uniform program for managing\n                            information that requires safeguarding or dissemination controls pursuant to and consistent\n                            with law, regulations, and Government-wide policies, excluding information that is\n                            classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act,\n                            as amended.\n                            At present, executive departments and agencies (agencies) employ ad hoc, agency-specific\n                            policies, procedures, and markings to safeguard and control this information, such as\n                            information that involves privacy, security, proprietary business interests, and law\n                            enforcement investigations. This inefficient, confusing patchwork has resulted in\n                            inconsistent marking and safeguarding of documents, led to unclear or unnecessarily\n                            restrictive dissemination policies, and created impediments to authorized information\n                            sharing. The fact that these agency-specific policies are often hidden from public view has\n                            only aggravated these issues.\n\n                            To address these problems, this order establishes a program for managing this information,\n                            hereinafter described as Controlled Unclassified Information, that emphasizes the openness\n                            and uniformity of Government-wide practice.\n\n                            Sec. 2. Controlled Unclassified Information (CUI).\n                            (a) The CUI categories and subcategories shall serve as exclusive designations for\n                            identifying unclassified information throughout the executive branch that requires\n                            safeguarding or dissemination controls, pursuant to and consistent with applicable law,\n                            regulations, and Government-wide policies.\n                            (b) The mere fact that information is designated as CUI shall not have a bearing on\n                            determinations pursuant to any law requiring the disclosure of information or permitting\n                            disclosure as a matter of discretion, including disclosures to the legislative or judicial\n                            branches.\n                            (c) The National Archives and Records Administration shall serve as the Executive Agent\n                            to implement this order and oversee agency actions to ensure compliance with this order.\n\n                            Sec. 3. Review of Current Designations.\n                              (a) Each agency head shall, within 180 days of the date of this order:\n                              (1) review all categories, subcategories, and markings used by the agency to designate\n                              unclassified information for safeguarding or dissemination controls; and\n\n                              (2) submit to the Executive Agent a catalogue of proposed categories and subcategories\n                              of CUI, and proposed associated markings for information designated as CUI under\n                              section 2(a) of this order. This submission shall provide definitions for each proposed\n                              category and subcategory and identify the basis in law, regulation, or Government-wide\n                              policy for safeguarding or dissemination controls.\n\n                            (b) If there is significant doubt about whether information should be designated as CUI, it\n                            shall not be so designated.\n                            Sec. 4. Development of CUI Categories and Policies.\n                                                 73\n\n\x0c68676 Federal Register / Vol. 75, No. 216 / Tuesday, November 9, 2010 / Presidential Documents\n\n                         (a) On the basis of the submissions under section 3 of this order or future proposals, and in\n                         consultation with affected agencies, the Executive Agent shall, in a timely manner, approve\n                         categories and subcategories of CUI and associated markings to be applied uniformly\n                         throughout the executive branch and to become effective upon publication in the registry\n                         established under subsection (d) of this section. No unclassified information meeting the\n                         requirements of section 2(a) of this order shall be disapproved for inclusion as CUI, but the\n                         Executive Agent may resolve conflicts among categories and subcategories of CUI to\n                         achieve uniformity and may determine the markings to be used.\n\n\n                         (b) The Executive Agent, in consultation with affected agencies, shall develop and issue\n                         such directives as are necessary to implement this order. Such directives shall be made\n                         available to the public and shall provide policies and procedures concerning marking,\n                         safeguarding, dissemination, and decontrol of CUI that, to the extent practicable and\n                         permitted by law, regulation, and Government-wide policies, shall remain consistent across\n                         categories and subcategories of CUI and throughout the executive branch. In developing\n                         such directives, appropriate consideration should be given to the report of the interagency\n                         Task Force on Controlled Unclassified Information published in August 2009. The\n                         Executive Agent shall issue initial directives for the implementation of this order within\n                         180 days of the date of this order.\n\n\n                         (c) The Executive Agent shall convene and chair interagency meetings to discuss matters\n                         pertaining to the program established by this order.\n                         (d) Within 1 year of the date of this order, the Executive Agent shall establish and maintain\n                         a public CUI registry reflecting authorized CUI categories and subcategories, associated\n                         markings, and applicable safeguarding, dissemination, and decontrol procedures.\n\n                         (e) If the Executive Agent and an agency cannot reach agreement on an issue related to the\n                         implementation of this order, that issue may be appealed to the President through the\n                         Director of the Office of Management and Budget.\n\n                         (f) In performing its functions under this order, the Executive Agent, in accordance with\n                         applicable law, shall consult with representatives of the public and State, local, tribal, and\n                         private sector partners on matters related to approving categories and subcategories of CUI\n                         and developing implementing directives issued by the Executive Agent pursuant to this\n                         order.\n\n                         Sec. 5. Implementation.\n                         (a) Within 180 days of the issuance of initial policies and procedures by the Executive\n                         Agent in accordance with section 4(b) of this order, each agency that originates or handles\n                         CUI shall provide the Executive Agent with a proposed plan for compliance with the\n                         requirements of this order, including the establishment of interim target dates.\n\n                         (b) After a review of agency plans, and in consultation with affected agencies and the\n                         Office of Management and Budget, the Executive Agent shall establish deadlines for\n                         phased implementation by agencies.\n                         (c) In each of the first 5 years following the date of this order and biennially thereafter, the\n                         Executive Agent shall publish a report on the status of agency implementation of this\n                         order.\n                         Sec. 6. General Provisions.\n                            (a) This order shall be implemented in a manner consistent with:\n                            (1) applicable law, including protections of confidentiality and privacy rights;\n\n                           (2) the statutory authority of the heads of agencies, including authorities related to the\n                           protection of information provided by the private sector to the Federal Government; and\n\n                                               74\n\n\x0c                            Federal Register / Vol. 75, No. 216 / Tuesday, November 9, 2010 / Presidential Documents 68677\n\n                                           (3) applicable Government-wide standards and guidelines issued by the National\n                                           Institute of Standards and Technology, and applicable policies established by the Office\n                                           of Management and Budget.\n                                        (b) The Director of National Intelligence (Director), with respect to the Intelligence\n                                        Community and after consultation with the heads of affected agencies, may issue such\n                                        policy directives and guidelines as the Director deems necessary to implement this order\n                                        with respect to intelligence and intelligence-related information. Procedures or other\n                                        guidance issued by Intelligence Community element heads shall be in accordance with\n                                        such policy directives or guidelines issued by the Director. Any such policy directives or\n                                        guidelines issued by the Director shall be in accordance with this order and directives\n                                        issued by the Executive Agent.\n\n                                        (c) This order shall not be construed to impair or otherwise affect the functions of the\n                                        Director of the Office of Management and Budget relating to budgetary, administrative,\n                                        and legislative proposals.\n                                        (d) This order is not intended to, and does not, create any right or benefit, substantive or\n                                        procedural, enforceable at law or in equity by any party against the United States, its\n                                        departments, agencies, or entities, its officers, employees, or agents, or any other person.\n\n                                        (e) This order shall be implemented subject to the availability of appropriations.\n\n                                        (f) The Attorney General, upon request by the head of an agency or the Executive Agent,\n                                        shall render an interpretation of this order with respect to any question arising in the course\n                                        of its administration.\n                                        (g) The Presidential Memorandum of May 7, 2008, entitled \xe2\x80\x98\xe2\x80\x98Designation and Sharing of\n                                        Controlled Unclassified Information (CUI)\xe2\x80\x99\xe2\x80\x99 is hereby rescinded.\n\n\n\n\n                                        THE WHITE HOUSE,\n                                        November 4, 2010.\n\n\n[FR Doc. 2010\xe2\x80\x9328360 Filed\n11\xe2\x80\x938\xe2\x80\x9310; 8:45 am] Billing\ncode 3195\xe2\x80\x93W1\xe2\x80\x93P\n\n\n\n\n                                                              75\n\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'